Security fixes land on main first. Backports to tagged releases are best-effort until the project has a formal release support policy.

Please do not open a public issue for a suspected vulnerability.

Use GitHub private vulnerability reporting for this repository if it is enabled. If it is not enabled yet, contact the maintainers privately through the repository hosting platform and include:

• A clear description of the issue
• Affected files, commands, or deployment path
• Reproduction steps or a proof of concept
• Expected impact

Please avoid publishing exploit details until a fix or mitigation is available.

• Initial triage as soon as maintainers can review the report
• Confirmation if the report is accepted, rejected, or needs more detail
• A coordinated disclosure timeline when the report is valid

This repository includes optional hosted-style components such as the SSH gateway. Reports affecting self-hosted deployments, release artifacts, or maintainer-run demo infrastructure are all in scope.