Thanks for taking the time to report security issues responsibly.

Do not open public issues or pull requests that include:

• API keys, tokens, passwords, cookies, session files, or recovery codes
• private device reports, full logs, hostnames, IP addresses, account IDs, or personal paths
• exploit steps that would directly help abuse a live service, account, game, device, or user

If a report needs sensitive evidence, describe the impact first and keep raw secrets or private logs out of GitHub public text.

Use GitHub's private vulnerability reporting when it is available on this repository. If it is not available, open a minimal public issue that says a security report exists, without including sensitive details.

Useful reports include:

• affected version or commit
• operating system and runtime version
• expected behavior vs actual behavior
• minimal reproduction steps with fake/redacted data
• whether the issue requires local access, authenticated access, or a public network path

Security expectations are local-first and project-specific. Many repositories under this account are personal tools, experiments, research notes, or prototypes. A good report focuses on practical user impact, not theoretical issues that require already owning the machine.

I will triage reports as time allows. Critical issues that expose credentials, private data, destructive local actions, or unintended network access take priority.