We take security seriously. If you discover a vulnerability in this project, please follow the process below — do not open a public GitHub issue.

Use one of these private channels:

1. GitHub private vulnerability reporting — open a private advisory on this repository's Security tab. This is the preferred channel.
2. Direct message — reach the maintainer through the contact information on their GitHub profile.

When reporting, include:

• A clear description of the issue and its impact
• Steps to reproduce (proof-of-concept if possible)
• Affected version(s) or commit SHA
• Any suggested mitigation
• Whether you would like public credit when the fix is released

• Acknowledgement within 7 days
• A triage decision (accepted, needs more info, out of scope) within 14 days
• A coordinated disclosure timeline once the issue is confirmed
• Public credit in the release notes (with your consent)

Only the latest commit on main is actively supported. Older releases are not patched. If you are running an older version, please update before reporting.

• Vulnerabilities in third-party dependencies — please report those upstream first; we will track the impact here once confirmed.
• Issues requiring physical access to a developer's machine.
• Social engineering attacks.
• Findings from automated scanners without a working proof-of-concept.

We will not pursue legal action against researchers who:

• Make a good-faith effort to follow this policy.
• Avoid privacy violations, data destruction, and service degradation.
• Give us reasonable time to fix the issue before disclosing publicly.

Thanks for helping keep this project and its users safe.