Security fixes are applied to the latest development state on main. If stable release branches are introduced, support windows will be documented here.

Please do not open public issues for security vulnerabilities.

Instead, report vulnerabilities responsibly with:

• Impact summary
• Reproduction steps
• Proof of concept (if possible)
• Suggested remediation (optional)

Until a dedicated security email is added, use a private maintainer contact route and clearly label messages with [SECURITY].

• Initial acknowledgement: within 72 hours
• Triage update: within 7 days
• Fix timeline: based on severity and complexity

• We follow coordinated disclosure when possible.
• Reporters are credited after resolution unless they request anonymity.