Security fixes are provided for actively maintained branches:
main: fully supported- pre-release branches: best effort until merged
- older branches/tags: no guaranteed SLA
Do not open public issues for unpatched vulnerabilities.
Report privately using:
- GitHub Security Advisory (preferred): repository
Securitytab
Please include:
- affected version/commit
- impact and attack scenario
- minimal reproduction steps
- suggested mitigation (if available)
- Initial triage: within 3 business days
- Severity assessment and remediation plan: within 7 business days
- Patch targets:
- critical/high: as soon as possible (typically within 14 days)
- medium/low: next scheduled security release
- Coordinated disclosure is expected.
- Public details are shared after patch availability.
- Reporter credit is provided unless anonymity is requested.