The default branch and the most recent release are supported for security fixes.
Please do not open public issues for potential vulnerabilities. Instead:
- Prefer GitHub's private vulnerability reporting (Security Advisories) when available.
- Otherwise email: bwi@cocoar.dev
- Include a minimal reproduction, impact assessment, and affected versions/commits.
- We aim to acknowledge reports within 72 hours.
We prefer coordinated disclosure. After a fix is available, we'll publish release notes with mitigation guidance.