We support the latest release on the default branch. Security fixes may be backported at maintainer discretion.

Please use GitHub Private Vulnerability Reporting (Security → “Report a vulnerability”) if enabled.

If private reporting is not available, contact the maintainers privately:

• Security contact: developer@clouddefense.ai

• Impact summary (what can an attacker do?)
• Affected components/paths
• Minimal reproduction steps or PoC (safe & non-destructive)
• Any suggested fix or mitigation

• Acknowledgment: within 72 hours
• Initial assessment: within 7 days
• Fix or mitigation plan: within 30 days (varies by severity/complexity)

Please do not open public issues for suspected vulnerabilities. We will coordinate on a disclosure timeline once validated.