Security fixes are targeted at the latest released version and the current main branch.
Please do not disclose suspected security issues in public issues, discussions, or pull requests first.
- Prefer GitHub's private vulnerability reporting flow or a GitHub Security Advisory draft when that option is available on the repository.
- If a private reporting path is not available, open a minimal public issue that requests a secure contact channel without including exploit details, proof-of-concept code, or sensitive target information.
When reporting, include as much of the following as you can:
- affected version or commit
- operating system and environment details
- reproduction steps or a minimized sample
- expected behavior vs. actual behavior
- impact assessment if known
We will triage reports as quickly as practical and coordinate on disclosure timing for confirmed vulnerabilities.