DO NOT open a public GitHub issue for security vulnerabilities.

Open a GitHub Security Advisory to report privately.

We take security seriously. That's literally why this project exists.

• Authentication/authorization bypasses
• Cryptographic weaknesses
• Sandbox escapes
• Memory safety issues
• Any way to access secrets without proper authentication

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix Timeline: Depends on severity, but we move fast

Security researchers who report valid vulnerabilities will be credited in our security advisories (unless they prefer anonymity).

We don't have a bug bounty program yet, but we have gratitude and respect.