SECURITY.md.
Do not publish:
- Private audit notes.
- Exploit details before remediation.
- Customer data.
- Real secrets, tokens, webhook signatures, or provider keys.
How to handle vulnerabilities and security-sensitive docs updates.
SECURITY.md.
Do not publish: