Report suspected vulnerabilities privately to prowlr@proton.me. Please include a reproduction, affected version/commit, and impact assessment. We aim to acknowledge within 72 hours and follow a 90-day coordinated disclosure window from first contact — extendable by mutual agreement if a fix needs more time. There is no bug bounty at this stage; credit is offered in the release notes unless you request otherwise.