gopus is pre-v1: security fixes land on master, and a version line becomes supported once its tag and GitHub Release are published.

Do not open a public issue for a suspected vulnerability. Prefer GitHub private vulnerability reporting for this repository; if that is unavailable, email thesyncim@gmail.com.

Please include the affected commit or version; your Go version, OS, and architecture; build tags; an impact summary; and reproduction steps or a proof of concept.

Acknowledgment is best effort, usually within a few business days. Confirmed vulnerabilities get a GitHub Security Advisory and a fix on master, plus a patched release once a public release line exists.