We follow Semantic Versioning and provide security fixes for actively supported release lines.

Projects using this software should upgrade to a currently supported release line to continue receiving security updates.

If you believe you have found a security vulnerability in this project, please do not open a public issue or pull request.

Instead, report the issue privately using the following method:

• GitHub Security Advisories: Go to this repository's Security tab, choose Advisories, and click Report a vulnerability to open a private security advisory with full details.

Please include as much information as possible to help us reproduce and understand the issue (affected versions, environment, steps to reproduce, and any proof-of-concept code).

• We aim to acknowledge receipt of your report within 3 business days.
• We will provide status updates at least every 7 days while we investigate and remediate the issue.
• Once a fix is ready, we will prepare a release and a security advisory describing the impact, affected versions, and mitigation steps.
• We will coordinate public disclosure with you. If we determine the reported issue is not a security vulnerability or has low impact, we will explain our reasoning in the private advisory.