Security fixes are developed on main.

This repository does not currently maintain long-lived patch branches for older release tags. When a security fix is accepted, the supported upgrade path is the next release cut from main.

Preferred private reporting paths:

• email minecraft-ping@omkhar.net
• GitHub private vulnerability reporting

GitHub private vulnerability reporting should remain enabled so reporters have a structured in-product disclosure path in addition to email.

Do not open a public issue, discussion, or pull request for a security problem until a fix is available and coordinated disclosure is agreed.

Include:

• affected version or commit
• reproduction details
• impact assessment
• any proposed mitigation or patch, if available

If the report involves release integrity, signing, or provenance behavior, include the exact tag, workflow run, and artifact names involved.

Valid reports are triaged privately. When a fix is ready, the patched version and any coordinated disclosure details will be communicated through the normal release process or another agreed private coordination channel.