Please do not disclose vulnerabilities through public issues before maintainers have had time to assess impact and prepare a fix.

Include the affected app/package, reproduction steps, impact, and any temporary mitigation you already validated.

Never commit production secrets, private keys, or real infrastructure IDs while preparing a report.