Security fixes are provided for the latest release on main.

1. Use GitHub private vulnerability reporting for this repository.
2. Include:
   • affected component/file
   • reproduction steps
   • impact assessment
   • suggested mitigation if available

Do not open public issues for unpatched vulnerabilities.

1. Initial triage response: within 5 business days.
2. Confirmed vulnerability status update: within 10 business days.
3. Fix timeline depends on severity and complexity; maintainers will communicate milestones in the private thread.