We support the latest minor release on the default branch. Please update to the most recent version before filing a report.

Email git@sunsung.fun with subject SECURITY: <short summary>. Include affected version, environment, impact, clear reproduction steps, and a minimal PoC if possible. Do not open public issues or PRs for security reports.

We will:

• Acknowledge your report within 72 hours.
• Provide an initial assessment or mitigation plan within 14 days.
• Aim to fix or provide mitigations within 90 days (timeline may vary with complexity).

Please keep your report private until a fix is released. We will coordinate a public advisory and credit you (unless you request otherwise).

• Social engineering or physical attacks.
• Pure DoS/spam without a concrete, actionable fix.
• Automated scan results without demonstrated exploitability.
• Issues affecting only unsupported versions or non-default configs.
• Vulnerabilities in third-party dependencies (please report upstream).

If you follow this policy and act in good faith, we will not pursue legal action or block your research.

Security fixes are shipped as patch releases and noted in the changelog/release notes.