Report vulnerabilities privately.

Never commit:

• .env files
• certificates or signing material
• wallet secrets
• internal API credentials