Security fixes are applied to:

• the latest commit on main
• the latest tagged release, once releases are published

Older versions may not receive fixes.

Please do not open a public issue for security problems.

Preferred reporting paths:

1. GitHub Private Vulnerability Reporting / Security Advisories, if enabled
2. Private contact to the maintainer via @chuanman2707

Include:

• a short description of the issue
• impact and attack scenario
• exact reproduction steps
• affected files, versions, or environments
• a proof of concept if safe to share

• acknowledgment target: within 72 hours
• initial triage target: within 7 days
• remediation timeline: depends on severity and reproduction quality

Please allow time for triage and remediation before public disclosure.