We provide best-effort security fixes for the latest released version and the main branch.

Please do not open public issues for suspected security vulnerabilities.

Use one of these private channels:

1. GitHub Security Advisory (preferred): repository Security tab -> Report a vulnerability
2. If advisory is unavailable, contact maintainers through private channels listed in repository settings.

• Initial acknowledgement: within 72 hours
• Triage decision: within 7 days
• Status updates: at least every 7 days until resolution

• We coordinate a fix before public disclosure.
• Once fixed, we publish release notes with mitigation guidance.
• If secret leakage is involved, keys/tokens must be rotated immediately.