Thank you for helping keep our open source projects secure.

Please report suspected security vulnerabilities privately using GitHub's private vulnerability reporting feature when it is available for the repository.

If private vulnerability reporting is not available, please contact the repository owner or maintainer directly instead of opening a public issue.

Please include:

• the affected repository and version or commit,
• a concise description of the issue,
• steps to reproduce or verify the issue,
• the potential impact, if known,
• any suggested mitigation, if available.

This policy applies to public repositories maintained under this GitHub account or organization that do not provide their own repository-specific security policy.

Many repositories are scientific, tooling, documentation, or package-scaffolding projects. They may not handle credentials, network services, or untrusted input directly, but security-sensitive issues can still arise in generated code, automation workflows, dependency handling, release processes, or documentation that users rely on.

Please do not disclose a suspected vulnerability publicly until it has been reviewed and, where appropriate, a fix or mitigation has been prepared.

We aim to acknowledge reports within a reasonable time and will coordinate with reporters in good faith. Response times may vary depending on project scope, maintainer availability, and the severity of the issue.

Unless a repository states otherwise, security fixes are normally made on the default branch and included in the next practical release. Older releases may not receive backported fixes.

For ordinary bugs, documentation problems, feature requests, or licensing questions, please use the repository's public issue tracker instead of the security reporting channel.