Security Policy Report vulnerabilities via GitHub Security Advisories or create a private issue Do not open public issues for security vulnerabilities We follow Coordinated Disclosure (90-day default)