This allocator is a teaching project; only the active development branch and the latest tagged release receive fixes. Historical tags remain available for reference but are not patched retroactively.

1. Use GitHub’s “Report a vulnerability” workflow (Security ➜ Advisories) so the report stays private until the fix ships.
2. Provide a minimal reproducer, the affected commit/tag, and any crash traces or sanitiser logs.
3. Expect an acknowledgement within five working days. You will then receive weekly updates until the issue is resolved or determined to be non-exploitable.
4. Coordinated disclosure is the default. If the finding is accepted, a fix and CVE (if applicable) will be published before the advisory is made public. If the finding is declined, we will share the rationale privately.
5. Please do not open public GitHub Issues or discuss the vulnerability on social media until the advisory is published.

For urgent matters where GitHub is unavailable, email drafter-bicycle.0t@icloud.com with the subject line [malloc-security].