Security fixes are provided on the main branch. For historical commits/tags, fixes are not guaranteed unless explicitly stated.

Please do not open public issues for suspected vulnerabilities.

Report privately via GitHub Security Advisories (preferred). Include:

• Affected component/file
• Reproduction steps or proof of concept
• Impact assessment
• Suggested remediation (optional)

• Initial acknowledgment: within 72 hours
• Triage and severity assessment: as soon as reproducible details are available
• Status updates: shared during investigation until resolution

• Please keep vulnerability details private until a fix is available
• After remediation, coordinated disclosure is welcome