Impulse is still an alpha, expect vulnerabilities.

Security fixes target the active development branch until stable releases exist.

Do not open a public issue for a vulnerability. Contact the maintainers privately through the project owner's preferred private channel. Include:

• affected commit or release;
• reproduction steps;
• expected impact;
• whether native backend artifacts are involved.

If an AI tool helped find or analyze the issue, disclose that and explain how you verified the finding. Do not paste large AI-generated vulnerability text.

Security reports may include unsafe native loading behavior, command permission problems, crashes caused by untrusted world/plugin input, or dependency packaging issues.

General physics bugs, gameplay behavior, and performance problems should use normal GitHub issues.