Sriracha is pre-1.0 software. Only the main branch receives security fixes. Tagged releases are not supported once superseded; please update to the latest commit on main to receive fixes.

Please report suspected vulnerabilities privately using GitHub's private vulnerability reporting on this repository. Do not open a public issue, pull request, or discussion for security-sensitive reports.

When reporting, include:

• A description of the vulnerability and its impact
• Steps to reproduce, ideally with a minimal proof of concept
• The affected commit (or commit range)
• Any known mitigations or workarounds

You should expect an initial acknowledgement within 7 days. We aim to provide a remediation plan or fix within 30 days of triage, depending on severity and complexity.

Once a fix has landed on main, we will publish a GitHub Security Advisory crediting the reporter (unless anonymity is requested) and describing the issue, affected versions, and remediation.