The current active branch is the supported version for security fixes.

If you find a security issue in REO, please report it privately.

• Do not open a public issue for vulnerabilities.
• Send the full details to the project owner or the private support contact used for development.
• Include clear reproduction steps, affected files or routes, and the possible impact.
• If possible, include a proof of concept, screenshots, request payloads, or logs.

What to expect:

• Initial acknowledgment should happen as soon as reasonably possible.
• Valid reports will be reviewed privately.
• If the issue is confirmed, a fix will be prepared before public disclosure.
• If the report is not accepted as a security issue, you may still receive guidance on whether it should be treated as a normal bug instead.

Please keep vulnerability details private until a fix is available.