- Main branch is supported. Older builds are not actively maintained.
- Email or open a private security advisory on GitHub instead of a public issue.
- Include reproduction steps, affected versions, and potential impact.
- We aim to acknowledge reports within five business days and provide a remediation plan or timeline when possible.
- Do not test or exploit vulnerabilities in production environments you do not own.
- Give us a reasonable time to investigate and fix before public disclosure.