Please report security vulnerabilities through GitHub Security Advisories.

Do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

When reporting, please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours of receipt
• Critical fixes: Within 30 days of confirmed report
• Non-critical fixes: Addressed in the next scheduled release

This project follows a coordinated disclosure model:

1. The reporter submits the vulnerability privately via GitHub Security Advisories.
2. The maintainers acknowledge and assess the report.
3. A fix is developed and tested privately.
4. The fix is released, and the vulnerability is disclosed publicly.

There is a 90-day disclosure deadline. If a fix is not released within 90 days of the initial report, the reporter may disclose the vulnerability publicly.