Only the versions listed above receive security updates. If you are using an unsupported version, upgrade before reporting.

If you discover a security vulnerability, do not disclose it publicly.

Do NOT:

• Open a GitHub issue describing the vulnerability.
• Create a pull request that references or demonstrates the vulnerability.
• Post proof-of-concept code, stack traces, logs, or screenshots in public discussions.
• Discuss the vulnerability in public forums, chat rooms, or social media.

Public disclosure before a coordinated fix may put users at risk.

Instead, report the issue privately using one of the following methods:

1. GitHub Security Advisory (preferred): Go to the repository’s Security tab and click “Report a vulnerability” to submit a private report.

2. Email: Send details to stratumv2@gmail.com.

When reporting, include:

• A clear description of the vulnerability.
• Steps to reproduce.
• A minimal proof-of-concept (if applicable).
• Affected version(s).
• Any suggested mitigations or fixes (optional).

The following OpenPGP keys may be used to encrypt sensitive information:

To import a key:

gpg --keyserver hkps://keys.openpgp.org --recv-keys "<fingerprint>"

Verify the fingerprint before encrypting sensitive data.

• We will acknowledge receipt of your report as soon as possible.
• We will investigate and determine impact and remediation steps.
• We may request additional information during triage.
• Once a fix is prepared, we will coordinate responsible disclosure.
• Credit will be given if desired.

Do not open a pull request referencing the vulnerability.

Send the proposed patch privately via email or attach it directly to the private GitHub Security Advisory thread (via the Security → “Report a vulnerability” workflow). We will coordinate review, integration, and disclosure timing before any public reference is made.