Production security guarantees apply to suite.recipes and suite.core only. The suite.experimental package is research-only and excluded from support. Importing experimental modules emits an explicit runtime warning.

Please report suspected vulnerabilities privately to psychevus@gmail.com with subject line SECURITY: cryptography-suite.

• Preferred contact: psychevus@gmail.com
• Public tracker (non-sensitive reports only): GitHub Security Advisories

Please do not open public GitHub issues for exploitable vulnerabilities before coordinated disclosure.

• Initial acknowledgment: within 5 business days
• Status update cadence: at least every 14 days while triaging/fixing
• Coordinated disclosure target: within 90 days when feasible

• No side-channel hardening claims are made unless explicitly stated.
• Constant-time hardening is ongoing and may vary by backend/platform.
• Deployments must provide cryptographically secure randomness and adequate entropy.

Only latest minor releases in the most recent major line receive security fixes.

See CONTRIBUTING.md for patch requirements and API stability for support levels.