Security fixes are prioritized for the latest release candidate and the latest stable release.

Please report security issues privately:

• Open a private security advisory on GitHub (preferred), or
• Email the maintainer listed in pyproject.toml.

When reporting, include:

• Affected version and environment
• Reproduction steps
• Impact assessment
• Suggested mitigation (if any)

• Initial acknowledgment: within 3 business days
• Triage and severity classification: within 7 business days
• Fix timeline: depends on severity and release cadence