Disclosure Policy
Responsible reporting
If you discover a security issue:
- report it privately
- include clear reproduction steps
- include impacted component or repository
- include logs or screenshots only when they do not expose secrets
What to include
- affected repo or environment
- steps to reproduce
- expected behavior
- actual behavior
- severity estimate
- any suggested mitigation
What not to do
- do not publish secrets
- do not exfiltrate user funds or credentials
- do not expand impact beyond what is required to confirm the issue