Security fixes are applied to the latest state of the default branch.

Please do not report security vulnerabilities in public GitHub issues.

Use one of these private channels:

1. GitHub private vulnerability reporting (preferred, if enabled).
2. Private contact via the maintainer profile: https://github.com/paulcouach

Please include:

• A clear description of the issue and impact.
• Reproduction steps or proof of concept.
• Affected files/paths and environment details.
• Any suggested mitigation.

• Initial acknowledgement: within 72 hours.
• Triage decision: within 7 days.
• Target fix timeline: depends on severity and complexity.

We follow coordinated disclosure. After a fix is available, we may publish details in release notes and/or advisories.