Report suspected vulnerabilities privately. Use GitHub private vulnerability reporting if enabled for this repository; otherwise contact the maintainers via the security contact channel documented in the repository settings.

Include:

• A clear impact statement;
• Affected versions or commit hash;
• Reproduction steps;
• Logs and packet captures where appropriate (redact secrets);
• A proposed fix, if you have one.

• Avoid public disclosure until a fix and advisory are ready.
• Do not post proof-of-concept code that enables misuse before coordination.

This policy covers:

• Client and server binaries;
• Protocol framing and parsing;
• Crypto provider integrations;
• Build and release scripts provided in this repository.