Security reports are welcome for the current mainline of the repository and for the latest published release.

Please do not open public issues for security-sensitive bugs.

Instead:

• describe the issue clearly
• include reproduction steps if possible
• include affected files or endpoints
• include expected impact

Use a private maintainer contact channel or a private repository security advisory if the GitHub repository is configured for it.

• acknowledgement as soon as practical
• confirmation once the report is reproduced
• a fix timeline when possible
• public disclosure only after a fix or mitigation is available

• Cloud connectors in this repository are intentionally labeled conservatively when not live-validated.
• Security findings that depend on real tenant credentials should still be reported if the code path is affected.