1. Do not open a public issue for security vulnerabilities.
2. Use GitHub Security Advisory draft for this repository whenever possible.
3. If advisory is unavailable, contact maintainers through organization channels and include:
   • impact summary
   • reproduction steps
   • affected files/versions
   • suggested mitigation (if any)

We will acknowledge within 3 business days and provide an initial remediation plan after triage.

1. Keep details private until a fix or mitigation is ready.
2. Coordinate disclosure timing with maintainers.
3. Publish a release note entry once the fix is released.