Security updates are provided for the latest default branch.

Please report vulnerabilities privately and do not create a public issue.

Preferred reporting options:

• Open a private GitHub security advisory through the repository Security tab
• If that is unavailable, contact the repository maintainers privately through GitHub

Please include:

• A clear description of the issue
• Impact assessment
• Steps to reproduce
• Proof-of-concept (if available)
• Suggested remediation (optional)

• Acknowledgement target: within 3 business days
• Initial triage: within 7 business days
• Fix timeline: depends on severity and complexity
• Coordinated disclosure after patch availability

We follow responsible disclosure and may request a reasonable embargo period until a fix is released.