If you discover a security issue, do not open a public bug report first.
Preferred path:
- use GitHub Security Advisories for private reporting
If private reporting is not available, open a minimal issue without exploit details and request a private contact path.
Security-sensitive areas include:
- privileged helper execution
- PolicyKit integration
- driver installation and removal flows
- command execution paths
- package and metadata distribution integrity