Please report security vulnerabilities privately. Do not open a public issue for a security report.

Use GitHub's private vulnerability reporting: open the repository's Security tab and choose Report a vulnerability. This creates a private advisory visible only to the maintainers.

When reporting, please include:

• a description of the issue and its impact,
• the steps or a proof of concept needed to reproduce it,
• the affected version or commit, and
• any suggested remediation, if you have one.

You can expect an acknowledgement within a few days. We will confirm the issue, keep you informed of progress, and coordinate disclosure once a fix is available.

Quartermaster is in early development and does not yet publish stable releases. Security fixes are applied to the main branch.