This repository is still early. Security fixes are targeted at the latest published line and the current main branch.

Do not open a public GitHub issue for a vulnerability report.

Preferred order:

1. Use GitHub's private vulnerability reporting flow, if it is enabled for this repository.
2. If the maintainers publish a direct security contact, use that private channel.
3. If no private route is available, open a minimal public issue requesting a secure contact path without sharing exploit details.

Include the following when possible:

• Affected commit, branch, tag, or file path
• Impact and attack preconditions
• Reproduction steps or proof of concept
• Suggested remediation or mitigation, if known

These are targets, not guarantees:

• Acknowledge receipt within 3 business days
• Provide an initial triage update within 7 business days
• Share remediation or mitigation guidance once the issue is confirmed

Please give maintainers a reasonable window to investigate and prepare a fix before public disclosure. Once a fix is available, release notes and security guidance should point users to the patched version or mitigation steps.