We review security reports against the current main branch and the latest published release.

Please do not open a public issue for security vulnerabilities.

Use one of the following private channels instead:

• GitHub user @forman
• GitHub Security Advisories (once available for this repository)

Include as much of the following as you can:

• A short description of the issue
• The affected package, module, or endpoint
• Steps to reproduce
• Any proof of concept or example input
• The expected impact

• We will acknowledge the report as soon as practical.
• We will investigate privately before any public disclosure.
• If a fix is needed, we will coordinate a safe release and credit the reporter if desired.

If you are doing good-faith security research, please avoid:

• Accessing data that does not belong to you
• Disrupting service availability
• Modifying data or code without permission
• Publicly sharing details before we have had a chance to respond