Each repository in this organization maintains its own release cycle. Security fixes are applied to the latest stable version of each project.

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, open a GitHub Security Advisory in the affected repository. This keeps the report private until a fix is ready.

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Acknowledgement within 72 hours
• A fix or mitigation plan within 14 days for critical issues
• Credit in the release notes if you'd like it

This policy applies to all repositories under this organization. Third-party dependencies should be reported to their respective maintainers.