Security fixes are applied on the latest state of the repository.

Do not open a public GitHub issue for an undisclosed vulnerability.

Prefer one of these private channels:

• GitHub private vulnerability reporting, if enabled for the repository
• direct contact with the maintainer through a private channel

Include:

• a clear description of the issue
• reproduction steps or a minimal proof of concept
• impact on generated repositories or local execution
• any suggested mitigation

Project Kit writes files and can initialize Git repositories, so reports involving command execution, path handling, generated instructions, or secret leakage are especially relevant.