The latest released minor version on main receives security fixes. Older versions are best-effort.

Do not file a public issue for security reports.

Use one of these private channels:

1. GitHub Security Advisories (preferred): the "Report a vulnerability" button on the Security tab of this repository.
2. Email the maintainer at the address listed on the @adityachilka1 profile.

Include:

• A description of the issue and its impact
• Steps to reproduce or a proof of concept
• The affected version(s)

We aim to acknowledge reports within 72 hours and have a patch or mitigation plan within 7 days for issues we can reproduce. Critical issues will be prioritised.

We follow coordinated disclosure: once a fix is available, we credit the reporter (unless they prefer to remain anonymous) in the release notes and CVE record where applicable.