If you discover a security issue in tooling, automation, or repository configuration:

1. Do not open a public issue with exploit details.
2. Contact the maintainer privately.
3. Provide reproduction steps, impact, and suggested mitigation.

• Initial acknowledgment: within 7 days.
• Status update after triage.
• Public disclosure after fix coordination.