Use GitHub Private Vulnerability Reporting for the affected repository. Open the repository's Security tab, open Advisories, then select Report a vulnerability. Include the affected repository and revision, a concise reproduction, impact, and any suggested mitigation.
Do not disclose a live vulnerability, proof of concept, exploit detail, or affected-system information in a public issue, discussion, pull request, or commit. Do not open a public issue to ask for a reporting channel.
Private Vulnerability Reporting is enabled per repository. Maintainers can follow GitHub's configuration guidance to make the Report a vulnerability control available.
This policy does not set a response-time commitment, bounty program, or disclosure timetable.