Security fixes are applied on a best-effort basis to the latest main branch.

Please do not open public GitHub issues for security vulnerabilities.

Instead:

1. Use GitHub private vulnerability reporting for this repository, if enabled.
2. If unavailable, contact maintainers directly and include:
   • Description of the issue
   • Reproduction steps
   • Impact assessment
   • Suggested fix (if available)

You can expect an initial acknowledgement within 7 days.

After confirmation, we will coordinate disclosure and release timing with the reporter.