Security fixes are generally provided only for the latest release or the current default branch.
Older releases and non-current branches may not receive security updates.
Please do not report security issues through public GitHub issues, pull requests, or discussions.
To report a vulnerability, please use GitHub Private Vulnerability Reporting for this repository.
When possible, include the following information in your report:
- A clear description of the issue
- The affected version, commit, or configuration
- Steps to reproduce the issue
- A proof of concept or sample exploit, if available
- The potential impact
Reports will be reviewed and assessed based on severity, reproducibility, and impact.
Response targets are as follows:
- Acknowledgement: within 7 days
- Initial assessment: within 30 days
The timeline for remediation or public disclosure will depend on the nature of the issue and the availability of a safe fix or mitigation.
Submitting a report does not guarantee that a fix will be issued, but confirmed issues will be evaluated and handled as appropriate.
Please avoid public disclosure of the issue until a fix or mitigation is available and users have had a reasonable opportunity to apply it.