Thank you for helping keep this project secure.
Security fixes are primarily applied to:
| Scope | Status |
|---|---|
| Default branch of each actively maintained repository | Supported |
| Release branches explicitly marked as supported | Supported |
| Other branches, forks, and stale branches | Limited support (best effort) |
Please do not open a public issue for security vulnerabilities.
Use a private channel first:
- Open a private GitHub Security Advisory in the affected repository
- If scope is unclear, mention all potentially affected repositories in the report
- If private advisories are unavailable, contact maintainers through a private channel
To speed up triage, include:
- Clear vulnerability description
- Estimated impact (confidentiality, integrity, availability)
- Reproduction steps
- Affected version and environment
- Proof of concept (PoC), if available
- Suggested fix or mitigation (optional)
- Initial acknowledgement within 3 business days
- Initial triage within 7 business days
- Remediation plan shared as soon as possible based on severity
Please do not publicly disclose a vulnerability until a fix or acceptable mitigation has been released.
Unless requested otherwise, reporters who disclose vulnerabilities responsibly may be acknowledged in release notes.