Please do not open a public issue for problems that could realistically be abused as a security vulnerability.
If a report involves:
- command injection
- unauthorized control paths
- privilege boundary violations
- secret or credential exposure
- unsafe update or provisioning behavior
- a flaw that could enable dangerous unintended control through malicious input
report it privately first through the repository owner's available contact path.
Please include:
- a clear summary
- affected files or subsystem
- reproduction steps if known
- expected impact
- suggested mitigation if available
Examples include:
- a host-side tool executing untrusted input unsafely
- a control or messaging path that can be abused to perform unintended actions
- unsafe handling of credentials, tokens, or secrets once such setup exists
- a vulnerability that makes a documented supported workflow unsafe under malicious input
The following are generally not private security reports:
- ordinary bring-up bugs
- documentation mistakes with no security impact
- expected instability in unfinished prototype code
- unsupported local modifications
- environment setup failures without a plausible security angle
Those issues should usually be reported through the normal public bug or support path.
This repository is in planning and bootstrap. Security handling is best-effort, and response time may vary.
Please allow time for review and mitigation before publishing detailed exploit steps. Coordinated disclosure is preferred.