If you discover a security vulnerability, please report it through GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix target: within 90 days of confirmation

Contributors who responsibly disclose vulnerabilities will be credited in the release notes (unless they prefer to remain anonymous).