Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting: 👉 Report a vulnerability

We follow coordinated disclosure — fixes ship before public disclosure. Expected response: within 7 days.

sunfish is in active pre-1.0 development. Security fixes are applied to the latest commit on main only. No backport policy exists until a stable release is tagged.