Security updates are provided on a best-effort basis for the latest state of the main branch.
Please do not report security issues in public GitHub issues.
Use GitHub private vulnerability reporting:
Include:
- affected component and version/commit
- clear reproduction steps or proof of concept
- impact assessment
- suggested mitigation (if known)
- initial acknowledgment target: within 72 hours
- status updates: as investigation progresses
- fix and disclosure timing: depends on severity and exploitability