See also code conventions; there are a few guidelines about security of added code there.

Security issues may be reported via the GitHub private vulnerability reporting feature here. Note that this applies only to security issues; everything else should still be posted to issue tracker.

Please avoid publicly posting or discussing security issues that don't have a fix available yet.

Everyone with push access must use two-factor authentication for their Github accounts. Should their account still be compromised, other team members should be immediately notified via Discord.