Security fixes currently target the latest maintained release line and the current development branch.
Use GitHub's private vulnerability-reporting channel for this repository when it is available. If it is not available, contact the maintainer through the repository's published contact channel before disclosing details. Do not post a suspected vulnerability as a public Issue before coordinating disclosure.
Do not include API keys, tokens, secrets, credentials, exploit details, or real user data in a public Issue or discussion.
Please include the affected version or commit, impact scope, minimal reproduction steps, expected and actual behavior, and any possible mitigation. Security vulnerabilities are handled separately from ordinary bugs; report non-security defects through the normal issue process.
Maintainers will make a reasonable effort to acknowledge, assess, and remediate valid reports. No fixed response or remediation timeline is guaranteed.
This policy describes reporting. The project never stores API keys; the full technical controls, provider boundary, Template restrictions, managed-file behavior, and parent-coordinator responsibilities are documented in docs/security-model.md.