Until the first stable release, security fixes are made on the latest version of the default branch only.
If GitHub private vulnerability reporting is enabled for this repository, use Security → Report a vulnerability to contact the maintainers privately.
If that option is unavailable, open a public issue that asks the maintainers for a private contact channel. Do not include vulnerability details, exploit code, private paths, report contents, or other sensitive information in that issue.
Include the affected version, impact, reproduction steps, and any suggested mitigation in the private report. Please allow the maintainers time to investigate before publishing details.
General support requests and analyzer false-positive or false-negative reports are not security vulnerabilities and can use the repository's regular issue tracker. Redact paths, filenames, tags, and other private metadata from any scan report you attach.
FLAC input is parsed in-process by Python and native audio libraries. When scanning files from an untrusted source, use a low-privilege account or an isolated environment, keep dependencies current, and avoid scanning as an administrator. Treat malformed files as potentially hostile even though the application opens them read-only.