Thread is early software.

Security fixes are handled for the current 0.1.x line.

Please do not post exploit details in a public issue.

Use GitHub private vulnerability reporting if it is available for this repository.

If that is not available, open a short public issue asking for a private security contact path. Do not include the details there.

When reporting, include what happened, how to reproduce it, and what impact you expect.

The repo has dependency and code scanning in CI.

Security checks can miss things, so small clear reports are useful.

BSD 3-Clause. See LICENSE.