Report vulnerabilities privately to the maintainers before public disclosure. Include affected revision, reproduction steps, impact, and any known mitigations. Maintainers will acknowledge reports within 72 hours, coordinate fixes privately, and publish advisories once a fix is available.