To report a vulnerability, open a confidential issue at the repository or email the maintainer directly. Include reproduction steps and affected versions. Expect acknowledgement within 72 hours.
Do not disclose security issues publicly until a fix is available.