Please report suspected vulnerabilities privately via GitHub's Private Vulnerability Reporting on the Security tab. Do not file public issues for security-sensitive reports.

We aim to acknowledge reports within 5 business days and to ship a fix or documented mitigation within 30 days for confirmed vulnerabilities, depending on severity and complexity.

The 3ncr.org v1 envelope is the only supported format. Security fixes land on the latest release of the v1.x line.