Security fixes are provided for the latest published release. Older versions may not receive patches.
Please report vulnerabilities privately by email:
Do not open a public GitHub issue for an undisclosed vulnerability.
Please include:
- Affected version
- Reproduction steps or proof of concept
- Impact assessment
- Suggested remediation (if available)
- Initial response: within 3 business days
- Triage update: within 7 business days
- Fix timeline: depends on severity and complexity
When a fix is released, we will publish a security advisory or release note summary as appropriate.