We focus security fixes on the main branch and the most recent release tag.

If you discover a security vulnerability in Riva:

1. Do not open a public GitHub issue.
2. Create a security advisory on GitHub.

You will receive an acknowledgement within 72 hours. We aim to provide an initial assessment within 7 days and coordinate disclosure once a fix is ready.

• We create a private GitHub issue or discussion to track the report.
• A maintainer will prepare a fix and add tests when feasible.
• After validation, we publish a release and a security advisory summarizing the impact and mitigation.

Thank you for helping keep the community safe.