Security disclosures are accepted for current mainline work and all tagged stable releases.
- Send a private report to project maintainers (do not open public issue first).
- Include: impact summary, reproduction steps, affected versions, and suggested mitigation.
- If possible, include a minimal proof of concept.
- Maintainers acknowledge receipt within 3 business days.
- Triage target: initial severity assessment within 7 business days.
- A fix timeline is shared after triage.
- Public disclosure is coordinated after patch availability.
- Reports that require non-default insecure deployment settings only.
- Non-exploitable style or documentation issues without security impact.
SECURITY_CHECKLIST.mdTHREAT_MODEL.mdSPEC.mdsecurity and authorization sections