Do not report real credentials, private keys, tokens, personal data, or exploitable production details in public issues.
For sensitive reports, contact the maintainers privately.
When demonstrating a vulnerability:
- use authorised systems;
- redact secrets and personal data;
- provide the minimum reproduction required;
- avoid destructive testing;
- disclose responsibly.