If you discover a security vulnerability, please report it privately:

1. Do not open a public issue
2. Email the maintainer or use GitHub's private vulnerability reporting
3. Include steps to reproduce and potential impact

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix timeline: depends on severity

Only the latest release is actively supported with security updates.