Report suspected vulnerabilities in the public website, public repository, or official-channel routing to leng.jixiang@ninenames.com. Include asset, impact, reproduction notes, and contact.

Do not perform destructive testing, access non-public data, disrupt service, exfiltrate secrets, or include patient files.

This is not a paid reward program or authorization to test private systems. Sensitive, legal, or confidential material stays out of public issues.

Reports are reviewed for scope, safety, reproducibility, and remediation before any public acknowledgment.