Security Policy Report vulnerabilities to [email protected]. Do not open public issues with exploit details. We aim to triage within 72 hours.