We take the security of this project seriously and appreciate responsible disclosures.

We provide support exclusively for the latest version, as we follow a develop-at-HEAD policy. Security fixes are applied only to the current version and are not backported to older releases.

We track and address only vulnerabilities rated HIGH or higher in the NVD. For vulnerabilities affecting upstream dependencies, we rely entirely on upstream maintainers to provide fixes and do not independently patch or maintain forks of those dependencies.

If you believe you have found a security issue in this project, please do not open a public issue or pull request.

Instead, report it through GitHub’s security advisory flow:

1. Go to the repository’s Security tab.
2. Click Report a vulnerability, or visit the advisories page.
3. Provide as much detail as possible, including:
   • Steps to reproduce
   • Expected vs. actual behavior
   • Any logs, proofs of concept, or configuration details that help us reproduce the issue
   • Your assessment of impact (if possible)