Security fixes are provided for:

• main branch (latest source)
• latest tagged release

Older releases may not receive fixes.

Please do not report vulnerabilities in public issues.

Preferred path:

1. Use GitHub Security Advisories (Security tab) for this repository.
2. If advisories are unavailable, contact maintainers through a private channel and include:
   • affected version/commit
   • reproduction steps
   • impact assessment
   • proof of concept (if available)

If no private channel is available, open a minimal issue titled [SECURITY] Private contact requested without exploit details.

• Initial acknowledgment: within 3 business days
• Triage decision: within 7 business days
• Fix timeline: depends on severity and scope

We follow coordinated disclosure. Please allow maintainers time to validate and patch before public disclosure.