Security Policy Reporting a vulnerability Do not open a public issue for security-sensitive findings. If the repository supports GitHub private vulnerability reporting, use Report a vulnerability. Otherwise contact @zzragida privately and include impact, affected repository, reproduction steps, and suggested mitigations. Scope Private repositories, workflows, credentials, datasets, and model/prompt handling are all in scope. Low-confidence findings are still worth reporting if they could expose data or reduce trust in evaluation results. Response goals Acknowledge receipt as quickly as practical. Triage by impact to confidentiality, integrity, availability, and experiment trustworthiness. Coordinate a fix, validation, and disclosure plan before broad distribution.