Please report security vulnerabilities by emailing [email protected].

• Do not report security vulnerabilities through public GitHub issues
• Expect a response within 48 hours
• If the issue is confirmed, we will release a patch as soon as possible
• If the vulnerability is declined, we will provide a detailed explanation

• All releases are signed with GPG
• Dependencies are regularly checked for vulnerabilities
• Code is scanned for security issues before release