Security fixes are provided for the latest stable release line and the main branch.

Please do not report security issues in public GitHub issues, pull requests, or discussions.

Report vulnerabilities by email to chris@acroidea.com. Include:

• A clear description of the issue and affected components.
• The Salvo version or commit you tested.
• Steps to reproduce or a minimal proof of concept.
• Any impact assessment you already have.

• Initial acknowledgement target: within 3 business days.
• Status update target: within 7 business days after acknowledgement.
• Fix timelines depend on severity, exploitability, and release coordination needs.

If the report is accepted, we will work on a fix privately before public disclosure.

• We will coordinate public disclosure after a fix or mitigation is available.
• When possible, the fix will be released in a stable version and documented in release notes.
• Reporters will be credited after disclosure if they want to be named.