Security fixes apply to the main branch unless otherwise stated. For released tags, critical fixes may be backported on a best-effort basis.

• Email: security@plugged.in
• Please include a description, reproduction steps, and impact assessment.
• We aim to acknowledge within 72 hours and provide a remediation ETA within 14 days.

We prefer coordinated disclosure. We will assign a CVE when appropriate and credit reporters who wish to be acknowledged.