Please do not open public GitHub issues for suspected security vulnerabilities.

Until a dedicated security inbox is published, report vulnerabilities privately to support@input.so with Pen security in the subject line. Include:

• a description of the issue
• impact and affected packages
• reproduction steps or a proof of concept
• any suggested remediation if you have one

We will acknowledge reports as quickly as we can and coordinate remediation before any public disclosure.

This policy applies to the Pen repository, its published packages, and the repository playground/docs apps when the issue affects shipped package behavior.