Please do not open public issues for potential security vulnerabilities.
Send a private report with:
- Affected component/path
- Reproduction details
- Potential impact
- Suggested mitigation (if known)
Until a dedicated disclosure channel is set up, open a minimal issue requesting a private contact route and avoid posting exploit details.
Security reports are especially relevant for:
- Signature verification and key handling logic
- Replay/freshness checks
- Receipt integrity verification
- Policy enforcement boundary checks