Security updates apply to the current main branch and the latest published release artifacts.

Use GitHub private vulnerability reporting when available, or open a minimal public issue if the report does not contain exploit details, sensitive indicators, or undisclosed bypass information.

Include:

• Affected rule, pack, workflow, or tool.
• Impact and expected behavior.
• Reproduction steps or a minimal sample when safe to share.
• Suggested fix, mitigation, or detection improvement if known.

Maintainers will triage reports by impact and exploitability. Public fixes should avoid publishing unnecessary weaponized detail and should keep detection content reproducible through the normal validation workflow.