Do not open a public issue for suspected vulnerabilities.

Use GitHub Security Advisories for this repository when private vulnerability reporting is enabled. If that setting is not available yet, contact the maintainer privately and include the affected commit/tag, impact, reproduction steps, and any proof of concept.

The organization still needs a final public security contact. Until then, private GitHub advisories are the preferred intake path.

The active main branch and the latest tagged release are supported by default. Older versions are handled case by case until a formal support matrix is published.

• Acknowledge valid private reports within 7 days when possible.
• Triage severity, affected versions, and exploitability before public disclosure.
• Prepare a fix, release note, and upgrade guidance before disclosing details.