We take security vulnerabilities seriously and are committed to addressing them promptly. If you discover a potential security issue in this project, please report it privately and responsibly via the Security tab.

• Please use GitHub Security Advisories (Security tab > Report a vulnerability) to privately disclose issues. Avoid public issues or pull requests for suspected vulnerabilities.
• Include details to reproduce (steps, inputs, configs), affected versions/commits, expected vs. actual behavior, and impact. Share proof-of-concept exploits only in the private report.
• If the private advisory workflow is unavailable in your fork, contact the repository maintainers through a private channel with the same details.

• We aim to acknowledge reports as soon as possible; typically this is within 5 business days, but response times may vary because this is a community-maintained project.
• We will share triage status and next steps after the initial acknowledgment.
• Coordinated disclosure timelines will be agreed upon with the reporter when fixes are prepared.

• Security fixes target the default branch. Backports to older releases may be considered when the impact warrants it and the branch is still maintained.