Preferred (private):

• Use GitHub Security Advisories ("Report a vulnerability" in the Security tab).

Fallback (public):

• Open a GitHub issue without sensitive details and request a move to a private channel.

Do not post secrets, exploit code, or private user data in public issues.

• Affected component (e.g. installer, ISO build scripts, configs)
• Reproduction steps or a minimal proof-of-concept
• Impact assessment (what could an attacker do?)

We aim to acknowledge reports within a reasonable time and coordinate a fix and disclosure timeline with the reporter when appropriate.