We support the latest main branch. Ensure issues reproduce against main.

• Do not disclose vulnerabilities publicly.
• Use GitHub Private Vulnerability Reporting if enabled, or open a GitHub Security Advisory draft to the maintainers.
• If private reporting is unavailable, open a minimal issue stating you have a security report and request a private contact channel. Do not include sensitive details publicly.

We aim to acknowledge reports within 72 hours and provide remediation updates after triage.

We will not pursue legal action against good-faith security research that follows this policy and avoids unauthorized access, data exfiltration, or service disruption.