Do not open a public issue for problems that could reasonably be abused as a security vulnerability.
If a report involves any of the following, report it privately first:
- unsafe boot-state or rollback behavior
- unsafe recovery or rescue behavior
- insecure update handling
- privilege boundary violations
- command injection or unsafe host-side tooling behavior
- credential, token, or secret exposure
Include:
- a short summary
- the affected subsystem
- reproduction steps if known
- likely impact
- suggested mitigation if available
Examples include:
- a recovery path that can be abused to bypass intended control
- unsafe boot-state handling that can force unintended boot behavior
- a host tool executing untrusted input unsafely
- secrets accidentally committed into the repository
- an update or recovery flow that becomes unsafe under malicious input
The following are usually not security issues:
- ordinary bring-up bugs
- documentation mistakes with no security impact
- expected instability in unfinished prototype code
- unsupported local modifications
- environment setup failures without a plausible security angle
Those should usually be reported through the normal public issue path.
This repository is in active early development. Security review and response are best-effort.