Please report vulnerabilities privately via GitHub Security Advisories:

• Create a private security advisory

Do not open public issues for unpatched vulnerabilities.

• Affected version/commit
• Reproduction steps or proof of concept
• Impact assessment
• Suggested remediation (if available)

• Initial acknowledgement: within 3 business days
• Triage and severity assessment: within 7 business days
• Remediation timeline: based on severity and risk

We follow coordinated disclosure. Once a fix is available, maintainers publish release notes and, if applicable, a security advisory.