The main branch is the supported open-source line.

Please do not open a public issue for unpatched vulnerabilities.

Use one of these paths:

1. Open a private security advisory in the repository platform.
2. Contact maintainers through a private channel and include:
   • affected file/function
   • impact summary
   • reproduction steps
   • suggested mitigation (if available)

• We acknowledge reports as quickly as possible.
• We validate and triage impact.
• We patch and publish a coordinated fix note.
• We credit reporters unless anonymity is requested.

• Contract funds/permissions logic
• Auth signature verification
• Rate-limit and replay resistance
• Secret handling and config boundaries