Please report vulnerabilities privately to the maintainers.

• Initial acknowledgment: within 72 hours
• Triage decision: within 7 days
• Mitigation/release plan: communicated after triage

• Input validation for time ranges, recurrence rules, and iCal parsing
• Safety around timezone handling and date arithmetic
• CI security scanning via CodeQL and gosec

Security fixes are prioritized for the latest tagged release and main.