Do not publicly disclose a vulnerability for at least 30 days.

To report a vulnerability, email [email protected] and expect a response within 30 days. If the matter cannot be privately resolved, make a pull request to put the platform into maintenance mode and then make a GitHub issue to resolve it with others.