Security fixes are applied to the main branch.

Please do not open public issues for security vulnerabilities.

Preferred path:

1. Use GitHub's private vulnerability reporting in the repository Security tab.
2. Include reproduction steps, affected files, and potential impact.

If private reporting is unavailable, open a minimal issue titled [SECURITY] without exploit details, and maintainers will provide a private follow-up path.

• Initial triage response target: within 5 business days.
• If confirmed, maintainers will prepare and publish a fix as soon as practical.
• Credit and disclosure timeline will be coordinated with the reporter.