Pyra is pre-1.0. Security fixes are targeted at:

• the latest tagged release
• the current main branch when a fix has not shipped yet

Older builds may not receive backports.

Please do not open a public GitHub issue for security-sensitive reports.

Preferred path:

1. Use GitHub's private vulnerability reporting for this repository.
2. Include the affected version, platform, impact, and reproduction details.

If private vulnerability reporting is not available yet, contact the maintainer through a private channel and avoid posting exploit details publicly until a fix is available.

The goal is to acknowledge new reports within a few business days and keep the reporter updated on fix and disclosure timing.