Please report security issues using GitHub's private vulnerability reporting:
Security tab → Advisories → Report a vulnerability.
If you cannot use that workflow, contact the maintainers by another private channel (please avoid public issues for security reports).
In scope:
- PullVault source code and official release artifacts.
Out of scope:
- Third-party dependencies (please report to their maintainers first).
- Self-hosted deployments with local modifications.
Only the default branch (main) and the latest release (when available) receive security fixes.
We practice coordinated disclosure. Please allow a reasonable time for investigation and fixes before any public disclosure.