Security fixes are expected for the latest published release line.

Please do not report security vulnerabilities through public GitHub issues.

Preferred process:

1. Use GitHub private vulnerability reporting: Security -> Advisories -> Report a vulnerability.
2. If private vulnerability reporting has not been enabled yet, open a minimal public GitHub issue that requests a private security contact path without including exploit details, secrets, payloads, or full reproduction steps.
3. Include a clear description of impact, affected versions, reproduction details, and any known mitigations once a private channel is established.

• Initial acknowledgement: within 3 business days
• Status update after triage: within 7 business days
• Fix timeline: depends on severity, exploitability, and release complexity

• Please allow time for investigation and coordinated remediation before public disclosure.
• Credit for responsible disclosure will be given unless you request otherwise.