Security updates are provided for the latest code on the main branch.

Please do not report security vulnerabilities in public GitHub issues.

Report privately by email:

• hexa [at] duck [dot] com (replace [at] and [dot])

Include:

• affected version/commit
• reproduction steps
• impact assessment
• any proof-of-concept or logs (if safe to share)

• Initial acknowledgment target: within 72 hours
• Triage and severity assessment: as soon as practical
• Fix planning and release timing: based on severity and exploitability

We may ask for clarification or validation help during triage.