Security fixes are applied to the latest release line and the default branch under active development.

If you discover a vulnerability, please report it privately first:

1. Open a private security advisory in GitHub, if available.
2. If advisories are unavailable, open an issue marked security with minimal exploit details and request private follow-up.

Please include:

• A clear description of the issue
• Affected versions/commit range
• Reproduction steps or proof of concept
• Suggested mitigation, if known

• Initial acknowledgement target: within 3 business days
• Triage and severity assessment: as quickly as possible
• Fix and coordinated disclosure timeline: based on severity and impact

Please avoid public disclosure before a fix or mitigation is available.