Only the most recent release receives security updates.

Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.

Instead, please use one of the following channels:

1. GitHub Security Advisories (preferred): Use the private vulnerability reporting feature to submit a report directly on GitHub.

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof of concept
• The version(s) affected
• Any suggested fix (optional)

• Acknowledgment within one week of your report
• Assessment and triage within two weeks
• Fix timeline depends on severity and available resources

This project is maintained by a small academic research team. We will respond as promptly as we can and appreciate your patience.

We follow coordinated disclosure with a 90-day timeline:

• We will work with you privately to understand and address the issue.
• We ask that you do not publicly disclose the vulnerability until a fix is available or 90 days have passed, whichever comes first.
• We will credit reporters in the security advisory unless you prefer to remain anonymous.