Please report vulnerabilities privately through GitHub Security Advisories or repository security contact channels. Do not open public issues for sensitive security reports.
This policy covers all code and packages in this repository.
- Initial acknowledgment: within 5 business days
- Triage and impact classification: as soon as reproducible details are available
- Coordinated disclosure: after patch availability