Report vulnerabilities through the hosting platform's private security-reporting mechanism. Do not open a public issue for an unpatched vulnerability.
Include affected versions, configuration, platform, impact, a minimal reproducer, and any suspected cross-repository dependency.
Until the first stable release, only the newest development line receives security fixes. A supported-version matrix will be added before 1.0.
- Integer overflow and invalid alignment.
- Use-after-free and wrong-owner release.
- Resource exhaustion and budget bypass.
- Allocator metadata corruption.
- Peer-controlled sizes, counts, nesting, queues, and work have hard limits.
- Secure defaults cannot be disabled implicitly by missing configuration.
- Secrets and untrusted payloads are not written to normal logs.
- Third-party security updates are tracked at provider boundaries.
- Security fixes include regression tests and coordinated upstream/downstream releases when required.