Please do not report security vulnerabilities in public GitHub issues or pull requests.

Instead, email the maintainer directly at esatzman@ucop.edu with:

• a description of the issue
• steps to reproduce or validate it
• the affected version or commit, if known
• any suggested mitigation, if available

I will make a best effort to review legitimate reports, but response times may vary.

Security reports are especially helpful for issues involving:

• capability or permission checks
• media or attachment access control
• AJAX actions and nonce validation
• remote update metadata or package trust
• Cloudflare Worker authentication or request validation

Please allow time for investigation and a fix before making details public.