Please report vulnerabilities privately. Never post vulnerability information in public issues.

1. GitHub Security Advisories (recommended)

   • Repository top → Security → Report a vulnerability

2. Or report via email

   • Email address: a@od.je

• Vulnerability type (XSS, SQLi, RCE, etc.)
• Affected versions
• Steps to reproduce (as detailed as possible)
• Expected impact (information leakage, privilege escalation, etc.)
• Screenshots or PoC, if available

1. After receiving a report, we will acknowledge receipt within 48 hours
2. We will verify the vulnerability and assess its severity
3. We will develop a fix (targeting within 30 days typically)
4. After the fix is released, we will assign a CVE (if needed) and disclose publicly

• We follow responsible disclosure as soon as a fix is ready
• For especially severe vulnerabilities, we may disclose earlier after prior coordination

Contributors who report vulnerabilities may (if they wish) have their name listed in release notes or the Contributors section.