We actively maintain the latest development branch and the most recent tagged release. Older tags and forks are provided as-is without security backports.

• Private reports only. Please do not open public issues for security problems.
• Use GitHub Security Advisories to submit a private report to the maintainers.
• Include as much detail as possible (reproduction steps, affected versions, proposed impact) so we can triage quickly.
• We aim to acknowledge new reports within 3 business days and keep you updated on remediation progress until resolution.

• We request a 90-day embargo period before public disclosure unless we agree on a different timeline.
• Once a fix is available, we will publish a summary in the release notes and credit reporters who consent to attribution.