We take security seriously. If you discover a security vulnerability, please report it responsibly.

1. Do not open a public issue. Instead, contact the maintainers privately via email: contact@tristanbudd.com or open a private GitHub security advisory.
2. Provide a clear description, steps to reproduce, and potential impact.
3. We will acknowledge receipt within 48 hours and work with you to resolve the issue.

We will provide security fixes for the latest released version and any actively maintained previous release branches.

We will coordinate disclosure timelines with the reporter. After fixes are released, we will publicly disclose the issue with credit to the reporter unless requested otherwise.