We release security fixes for the latest commit on the default branch (main). Use the current version for production-like evaluations.

Please do not open a public issue for security vulnerabilities.

Instead:

1. Open a private security advisory on GitHub: Security advisories (repository maintainers must have GitHub Security enabled).
2. If that is unavailable, open a regular issue titled SECURITY: private disclosure and ask to be contacted privately, or email the repository owner through their GitHub profile contact options.

Include:

• A clear description of the issue and its impact
• Steps to reproduce (proof of concept if possible)
• Affected versions or commit range
• Suggested fix (optional)

We aim to acknowledge reports within a few business days and will coordinate disclosure once a fix is ready.

This project is intended for authorized testing and education in sandbox or lab environments only. Misuse against systems without permission is illegal and out of scope for this policy’s good-faith disclosure process.