English  ·  한국어

fluo uses private reporting for suspected vulnerabilities whenever possible.

• Do not open a public issue or discussion for a suspected security problem.
• Preferred channel: GitHub Security Advisories
• If the advisory flow is unavailable, contact the repository owner through the GitHub account listed in CODE_OF_CONDUCT.md and include security in the subject or first line.

• affected package, version, or commit
• reproduction steps or proof of concept
• expected impact and realistic attack scenario
• any known mitigations or patch ideas

• initial triage acknowledgement within 5 business days
• follow-up once severity and fix strategy are confirmed
• coordinated disclosure after a fix or mitigation is available

• the main branch
• the latest tagged release line, when tags are available