Security fixes are targeted at:

• the latest published release
• the current main branch

Older releases may receive guidance, but they should not be assumed to receive backported fixes.

Please do not open public issues for suspected vulnerabilities.

Preferred channel:

• Use GitHub's private vulnerability reporting for this repository if it is enabled.

Fallback:

• Contact the maintainer privately through the contact details listed on the repository owner's GitHub profile before public disclosure.

Please include:

• affected hpc-compose version or commit
• reproduction steps or a minimal compose file
• expected impact
• any cluster-specific assumptions needed to trigger the issue

• I will acknowledge receipt as quickly as possible.
• I will validate the report, assess impact, and work on a fix or mitigation.
• Public disclosure should wait until a fix, mitigation, or clear operator guidance is available.