Do not open a public GitHub issue for security-sensitive reports.

Use GitHub's private vulnerability reporting flow as the primary reporting channel for this repository. If you cannot use that flow, email andrewkoltsov@gmail.com with:

• a concise description of the issue
• affected versions and environments
• reproduction steps or a proof of concept
• any suggested mitigation if you already have one

I will acknowledge new reports within 3 business days.

Once an issue is confirmed, I will coordinate a fix and disclosure timeline. High-severity issues are targeted for remediation or mitigation within 30 calendar days, and critical issues are expedited ahead of that target when feasible.

When a security fix is publicly disclosed, the release notes will call it out explicitly.