This repository is maintained on the main branch. Security fixes are applied to main.

Please do not open public issues for security vulnerabilities.

Preferred process:

1. Open a private GitHub Security Advisory in this repository.
2. Include a clear description, impact, and reproducible steps.
3. Provide affected files/paths and any suggested mitigation.

If private advisory is unavailable, contact the maintainer privately via GitHub profile.

• Initial acknowledgment: within 72 hours
• Triage decision: within 7 days
• Fix timeline: depends on severity and complexity

• We coordinate disclosure after a fix is available.
• We may request reasonable embargo time for patch preparation and validation.
• Public advisories should include impact, affected scope, and remediation guidance.