Security fixes are applied on a best-effort basis to the latest main branch and newest tagged release.

Please do not open public GitHub issues for potential security vulnerabilities.

Use one of these private paths instead:

1. GitHub Security Advisories ("Report a vulnerability" in the Security tab)
2. A private maintainer contact channel, if available

When reporting, include:

• Affected commit/tag/version
• Reproduction steps or proof of concept
• Impact assessment (confidentiality/integrity/availability)
• Suggested mitigation (if known)

We will acknowledge reports as quickly as possible and aim to provide:

• Initial triage within 7 days
• A remediation plan or status update after validation
• Coordinated disclosure timing once a fix is available