Security fixes are handled on the latest released version of Cinder. Before the first stable release, report issues against main.

Please do not open a public issue for vulnerabilities that could expose wallet material, transaction-signing behavior, or user funds.

Report privately by contacting the maintainers through the repository security advisory flow, or email the project owner if a private advisory channel has not yet been enabled.

Include:

• Affected version or commit.
• Steps to reproduce.
• Whether a wallet, keypair, transaction signature, or RPC credential may be exposed.
• Any suggested mitigation.

The maintainers will acknowledge valid reports, investigate impact, and prepare a fix before public disclosure when appropriate.