This repository contains code published as-is. Security handling is best-effort.

A security issue is a concrete vulnerability in this project that crosses a real trust boundary, such as unintended access, data exposure, integrity compromise, or privilege escalation caused by this code itself.

Bugs are not automatically security vulnerabilities. Incorrect usage, unsafe composition, missing hardening features, and design preferences are usually not security issues.

If you’re reporting something subtle, include a threat model and a concrete impact. Reports without impact may be declined.

Preferred: use GitHub Security Advisories for this repository (Security tab, “Report a vulnerability”) if enabled. Otherwise: email the contact listed in the repository metadata or maintainer profile.

There are no guaranteed response times. There is no bug bounty. Severity and prioritization are determined by the maintainer.

Silence does not imply confirmation, rejection, or urgency.

Any decision to patch, document, disclose, or request a CVE is made at the maintainer’s discretion. No commitments are made regarding advisories, coordinated disclosure, or timelines.

This software is provided as-is, without warranty of any kind. Use in security-sensitive contexts is entirely at your own risk.