If you find a security issue, please report it privately. Do not attempt to access other users' accounts, extract data, disrupt service, or publicly disclose a vulnerability before we have had a reasonable chance to fix it.
Security reports should include the affected page, steps to reproduce, impact, and your contact email. Reports involving account access, private submissions, deletion workflows, or admin routes should be treated as high priority.