This project is currently pre-1.0. Security fixes are applied to the latest commit on the default branch.

Please do not create public issues for security vulnerabilities.

Use one of the following private channels:

1. GitHub Security Advisories (preferred):
   • Go to the repository's Security tab.
   • Click Report a vulnerability.
2. If Security Advisories are unavailable, open a private issue with maintainers and clearly label it as security.

Include:

• Affected component(s) and version/commit
• Reproduction steps or proof of concept
• Impact assessment
• Suggested remediation (if known)

• Initial triage acknowledgement: within 3 business days
• Status update cadence: at least weekly until resolution
• Coordinated disclosure after a patch is available

• Give maintainers reasonable time to investigate and patch.
• Avoid public disclosure before a fix or mitigation is released.
• Do not access data that is not yours.
• Do not run destructive tests against third-party systems.