Report privately, not in a public issue or PR: use GitHub private advisories or email roche@httrack.com (alternate: xroche at gmail dot com).

Include the HTTrack version and platform, a concrete reproduction (command line, a sample page or server response, or a small proof of concept), and what an attacker gains. We'll acknowledge it and keep you posted. Please allow time for a release before disclosing publicly.

Fixes land on master and ship in the next release; older releases aren't maintained. Confirm against current master when you can.

Scanners and LLMs are fine, but only send reports you have verified yourself. A confirmed, reproducible issue is worth our time; a plausible one that doesn't reproduce is not, and will be closed. If a report is AI-assisted, say so.