Security fixes are provided for the latest main branch and latest tagged release.

Please do not file public issues for vulnerabilities.

Instead:

1. Use GitHub Security Advisories to report privately.
2. Include reproduction steps, impact, and affected paths/crates.
3. Allow time for triage and coordinated disclosure.

• Initial acknowledgement: within 72 hours
• Triage decision: within 7 days
• Fix timeline: depends on severity and complexity