Security reports are relevant for:

• published package code
• docs/playground runtime behavior
• GitHub Actions and release automation
• dependency or supply-chain issues affecting this repository

Do not open a public issue for an unpatched vulnerability.

Use GitHub Security Advisories for private reporting when the repository is hosted on GitHub. If that is not available yet, contact the maintainers privately before any public disclosure.

• triage and acknowledgment as quickly as practical
• confirmation whether the issue is in scope
• coordinated fix and disclosure path when valid

The project does not guarantee support for speculative reports without a reproducible impact path.