For potential vulnerabilities, report privately through your security disclosure channel first. Do not open a public issue for sensitive details until a fix is available.
- Threat model: docs/core/THREAT_MODEL.md
- Security release checklist: docs/core/SECURITY_RELEASE_CHECKLIST.md
- Security fuzz process: docs/core/SECURITY_FUZZ_PROCESS.md
- Security implementation notes: docs/core/CODEX_SECURITY_TODO.md