Use GitHub Private Vulnerability Reporting for this repository whenever available. This keeps reports private and gives maintainers a durable triage record.

Do not open a public GitHub issue, pull request, forum post, or social post for security vulnerabilities.

If GitHub Private Vulnerability Reporting is unavailable, contact the maintainer through an existing private channel and include enough detail to reproduce the issue.

Security-sensitive code, build scripts, protocol integration, wallet/explorer surfaces, tests, and documentation in this repository are in scope for private reporting.

Reports should receive acknowledgement within 48 hours when maintainer capacity allows. Critical issues should receive a fix, mitigation, or risk note as quickly as practical.

Use coordinated disclosure. Public details should wait until maintainers confirm remediation or explicitly approve publication.