If you discover a vulnerability, please report it responsibly:

1. Do not open a public GitHub issue for undisclosed critical bugs.
2. Contact the repository maintainers through the channel listed in the org profile (or open a private security advisory if enabled).

Include: affected component (contracts/, apps/web, apps/backend), reproduction steps, and impact assessment.