Please report security issues privately. Do not open public issues for active vulnerabilities.

Preferred path:

1. Open a private security advisory in the repository.
2. Include reproduction steps, impact, and affected files/components.
3. Include your proposed mitigation if available.

If private advisories are not available in your hosting setup, contact the maintainers directly before public disclosure.

Security fixes are applied to the latest mainline codebase first. Older snapshots may not receive backported fixes.

• We acknowledge valid reports as quickly as possible.
• We triage severity and define remediation scope.
• We ship a fix, then coordinate disclosure notes and upgrade guidance.