| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| 0.2.x | ✅ |
| 0.1.x | ✅ |
Do not file public issues for security vulnerabilities.
To report a security vulnerability, please use the GitHub Security Advisory private disclosure form.
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof-of-concept.
- Affected versions, if known.
- Any suggested mitigations.
We follow a 90-day coordinated disclosure timeline:
- Acknowledgment — We will acknowledge your report within 3 business days.
- Triage — We will triage the report and confirm the vulnerability within 7 business days.
- Fix — We aim to release a fix within 30 days of confirmation. Complex issues may take longer; we will keep you informed of progress.
- Disclosure — If 90 days have elapsed since your report and no fix has been published, you may disclose the vulnerability publicly.
Security researchers who report confirmed vulnerabilities will be credited in CHANGELOG.md unless they request otherwise.
All reports should be submitted in English.