Security fixes are provided for the current main branch. Older snapshots and forks are not guaranteed to receive patches.

If you discover a security issue, please report it privately:

1. Open a GitHub Security Advisory (preferred), or
2. Email the maintainer listed on the repository profile.

Please include:

• A clear description of the issue
• Reproduction steps or proof of concept
• Impact assessment
• Suggested mitigation (if available)

• Initial acknowledgment: within 7 days
• Triage and severity assessment: as soon as reproducible
• Patch timeline: depends on severity and complexity

• Do not include real API keys, personal student data, or private credentials in reports.
• The project is designed for local/offline-first usage; most sensitive risk areas are local device storage, backend exposure, and model endpoint misuse.