The latest main branch is considered supported. Security fixes are applied there first.

Please do not disclose vulnerabilities publicly before a fix is available.

Report security issues by emailing:

• joao.p.mello.dev@gmail.com

Include as much detail as possible:

• affected endpoint or module
• reproduction steps
• expected vs actual behavior
• potential impact
• suggested mitigation (if any)

• Initial acknowledgment: within 72 hours
• Triage status update: within 7 days
• Fix timeline: shared after triage based on severity

1. Issue is acknowledged and triaged.
2. Patch is developed and validated.
3. Release notes are prepared.
4. Public disclosure happens after patch availability.