• Acknowledge: ≤72 hours
• Initial triage result: ≤7 days
• Fix or mitigation for critical (CVSS ≥9): ≤14 days

Use Security → Report a vulnerability (preferred)

We request CVE IDs for qualifying issues and publish a Repository Security Advisory with severity, affected versions, and upgrade/mitigation steps.