Security fixes are applied on the default branch.
Please do not disclose security vulnerabilities in public issues.
Open a private report with:
- A clear description of the issue
- Reproduction steps or proof-of-concept
- Potential impact
- Suggested mitigation (if known)
If private reporting channels are not available yet, open a minimal public issue without exploit details and request secure contact.
Never share:
- Vast API keys
- Bearer tokens
- Telegram bot tokens
When posting logs, redact all secrets and private hostnames/IPs.