Do not open a public GitHub issue for security vulnerabilities.
Email the maintainers directly via the contact on the GitHub profile. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations
You can expect an acknowledgement within 48 hours and a status update within 7 days.