Only the latest major release receives security patches.
Report vulnerabilities privately by opening a GitHub Issue with
[SECURITY] prefix. Do not file public issues for active vulnerabilities.
- 48h: Acknowledgment
- 7 days: Initial triage
- 30 days: Fix or mitigation
We follow coordinated disclosure. Patches are published with a CVE identifier and advisory in the release notes.