Security fixes are applied on a best-effort basis to the latest main branch and the most recent published release line.

Please do not disclose suspected vulnerabilities in public GitHub issues.

Preferred process:

1. Use GitHub private vulnerability reporting for this repository if it is available in the repository security settings.
2. If private reporting is not available, open a minimal public issue that only requests a private contact channel and does not include vulnerability details, proof-of-concept code, payloads, or sensitive file paths.
3. Wait for a maintainer response before sharing any technical details publicly.

When reporting a vulnerability privately, include:

• affected commit, tag, or release version
• attack surface or vulnerable endpoint
• impact summary
• reproduction conditions
• suggested remediation, if available

• Please give maintainers reasonable time to investigate and prepare a fix before public disclosure.
• Once a fix is available, coordinated public disclosure is welcome.