This project is under active development. Security fixes are applied to the latest main branch.

Please do not report security vulnerabilities via public GitHub issues.

Instead, report privately by contacting maintainers through a private channel (for example, direct email or private security advisory if enabled).

When reporting, include:

• affected component(s) (server/, client/, proto/),
• reproduction steps,
• impact assessment,
• and any suggested mitigations.

We will acknowledge reports as quickly as possible and aim to provide an initial response within 7 days.

• We will investigate and validate the report.
• We may request additional details or a proof of concept.
• A fix will be prepared and tested.
• Coordinated disclosure will follow once a patch is ready.

This repository is currently a protocol-correctness/development implementation and is not hardened for production deployment. Security hardening contributions are welcome.