During alpha, only the latest version receives security fixes. A formal support policy will be documented at GA.

Do not open a public issue.

Submit through GitHub's private vulnerability reporting form with:

• A description of the vulnerability and its impact
• Steps to reproduce
• Affected versions
• (Optional) a suggested fix

• 72 hours — acknowledgement of the report
• 7 days — severity assessment + remediation plan
• 30 days — fix released (timeline depends on severity)

We follow coordinated disclosure: technical details are published only after a patched release is available. Reporters are credited by name unless they request anonymity.