Thank you for responsible vulnerability disclosure. The preferred channel is GitHub's private Security Advisory. This document outlines how to submit vulnerability reports, supported version policies, disclosure and patch processes, and our acknowledgment policy for reporters.

Create a private security advisory on GitHub. You can open a draft security advisory.

• We prioritize support for: the latest release version (current) and the previous minor release.
• If your version is earlier than the supported range, please upgrade to a maintained version as soon as possible to receive security fixes.
• Please clearly indicate "affected versions" in your report.

• Title
• Affected versions
• Severity assessment (optional: CVSS or brief description)
• Steps to reproduce
• Test environment (OS, dependencies, configuration)
• Fix suggestions (optional)
• Contact information (if private communication is needed)