We support the latest minor release on main. Older versions get critical security fixes only on a best-effort basis.

• Email: security@lensr.dev (PGP key on https://lensr.dev/.well-known/pgp.txt)
• Do NOT open a public GitHub issue for vulnerabilities.
• We acknowledge within 48 hours and target a fix or mitigation within 14 days (90 days max for complex issues).
• We credit reporters in the changelog (with consent) and may offer rewards case-by-case.

In-scope: this repository's source code, official Docker images, official SDKs, and the lensr.dev website. Out-of-scope: third-party plugins not maintained by Lensr Labs.