Open a GitHub Security Advisory on the affected repository.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
Do not open public issues for security vulnerabilities.
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: Based on severity (critical = days, high = weeks, lower = next release)
Only the latest track is supported. Older tracks may receive critical fixes at maintainer discretion.