This project is currently pre-1.0. For now, security fixes are applied to the latest commit on the default branch.
Please do not open public issues for security vulnerabilities.
Use one of these channels:
- Preferred: Open a private security advisory in this repository.
- If private advisory is not available, open an issue with minimal details and explicitly request a private contact method before sharing exploit details.
Please provide as much of the following as possible:
- A clear description of the vulnerability
- Impact assessment (what can be exploited and how severe)
- Reproduction steps or proof of concept
- Affected versions/commits
- Suggested mitigation (if known)
We aim to:
- Acknowledge initial reports within 3 business days
- Provide a triage status update within 7 business days
- Publish a fix or mitigation timeline as soon as validation is complete
- Please allow maintainers time to investigate and fix before public disclosure.
- After a fix is available, coordinated disclosure is encouraged.