The 3DCF team maintains one supported branch and handles vulnerability reports privately to keep downstream users safe.

• Email yevhenii@3dcf.dev with a short description, affected commit/release, and proof-of-concept or reproduction notes.
• If you prefer, request our PGP fingerprint in the same message and resend an encrypted copy.
• We acknowledge reports within 3 business days and send a mitigation or fix plan within 15 business days whenever possible.
• After a fix is released we will coordinate public disclosure and, if desired, credit the reporter.

Please avoid filing public issues or sharing exploit details until we confirm a fix is available and both parties agree on a disclosure date.