Security fixes are applied on a best-effort basis to the latest code on main. If you are reporting a vulnerability, reproduce it against the latest commit or the latest published release when possible.

Please do not open a public GitHub issue for suspected vulnerabilities.

Instead, report the issue privately to the repository maintainer with:

• A description of the vulnerability.
• Affected versions or commit range, if known.
• Reproduction steps or a minimal proof of concept.
• Any relevant logs, stack traces, or configuration details with secrets removed.
• Your assessment of impact.

If GitHub private vulnerability reporting is enabled for this repository, use that channel. Otherwise, contact the maintainer through a private channel and allow time for triage before public disclosure.

Best effort process:

1. Acknowledge receipt of the report.
2. Validate and assess impact.
3. Prepare and test a fix when the issue is confirmed.
4. Coordinate disclosure after a fix or mitigation is available.

Reports are most useful when they focus on issues in this repository's source, release artifacts, or documented workflows. Problems caused solely by local machine misconfiguration, third-party service outages, or unsupported modified builds may fall outside the scope of this policy.