Security fixes are best-effort and are typically made against the current master branch.

Please do not publish vulnerability details in a public issue.

Preferred process:

1. Use GitHub's private vulnerability reporting flow for this repository if it is enabled.
2. If private reporting is not available, open a minimal public issue requesting a secure reporting path, without including exploit details, secrets, or full reproduction steps.

When reporting an issue, include:

• affected version or commit
• impact and attack surface
• reproduction steps
• proof-of-concept details only through a private channel
• any suggested mitigation or patch direction

Please allow maintainers reasonable time to investigate and prepare a fix before public disclosure.