Security fixes are applied to the latest commit on main.

Please do not disclose vulnerabilities in public issues.

1. Open a private security advisory in GitHub: Security -> Advisories -> Report a vulnerability.
2. If GitHub advisories are unavailable, contact the maintainer directly and include:
   • A clear description of impact
   • Reproduction steps
   • A proof of concept (if available)
   • Suggested remediation (optional)

• Initial triage response: within 3 business days
• Status update: within 7 business days
• Fix target for confirmed high/critical issues: as soon as practical, usually within 30 days

After a fix is available, coordinated public disclosure is preferred. Credit will be given unless you request anonymity.