Security fixes are applied to actively maintained branches.

Please do not report security vulnerabilities in public issues.

Preferred path:

1. Use GitHub's private vulnerability reporting flow for this repository.
2. Include reproduction steps, impact, and any suggested mitigation.

If private reporting is unavailable, open a minimal public issue requesting a private contact channel and do not include exploit details.

• Initial acknowledgment target: within 72 hours.
• We will validate, triage severity, and share remediation progress.
• After a fix, we will coordinate disclosure timing and release notes.