Do not open a public issue for a security vulnerability.

Report security issues privately to the project maintainers with:

• a description of the issue
• impact
• reproduction steps
• affected versions or commits

• whether the issue affects private mode
• whether it can bypass sidecar validation
• whether it can execute unintended commands
• whether it can leak audit or artifact data

The project aims to acknowledge security reports promptly and publish fixes once a patch is available.