This policy applies to all repositories under the lazybytez GitHub organization.

Only the latest release of each project is actively maintained. Security fixes are not backported to older versions unless stated otherwise in a repository's own documentation.

Do not open a public GitHub issue for security vulnerabilities. Doing so could expose users of affected software to risk before a fix is available.

Send a report to security@lazybytez.de instead. Please include:

• A clear description of the vulnerability
• The affected repository and version
• Steps to reproduce the issue
• Any potential impact you have identified

You will receive an acknowledgment within 48 hours. An initial assessment of severity and scope will be provided within 7 days of receipt.

We ask that you allow a reasonable window for us to develop and release a fix before making any details public. We will work with you to agree on a disclosure timeline. If we are unable to reach agreement, we will default to a 90-day disclosure window from the date of the initial report.

Reporters are credited in the release notes of the affected project unless they prefer to remain anonymous. Please indicate your preference in your initial report.