Security fixes are applied to the default branch of this repository (main / master as applicable). Use the latest release or commit when deploying.

Please do not open a public GitHub issue for security vulnerabilities.

Instead, use one of the following:

1. GitHub private vulnerability reporting — If enabled for this repository, use Security → Report a vulnerability on the GitHub project page.
2. Maintainer contact — Use the contact or coordination path described on ghost.bizs.app/contribute.html for sensitive reports.

Include:

• A short description of the issue and its impact
• Steps to reproduce or proof-of-concept (if safe to share)
• Affected versions or commits, if known

We aim to acknowledge reports within a few business days and will work with you on a fix and disclosure timeline.

In scope: this repository’s code, default configuration, and documented deployment paths. Out of scope: third-party services, misconfigured API keys in your environment, or issues in dependencies unless they require a change in this project.