Security updates are applied to the latest minor release on the default branch and, when practical, backported to the most recent previous minor release. Exact support windows may be documented in release notes as the project matures.

If you need to report harassment or other non-security conduct concerns and prefer not to use a public issue, use GitHub’s reporting tools on the relevant comment or profile, or open a private vulnerability report with the subject [CoC] so maintainers can route it appropriately.

Please do not open a public GitHub issue for security reports.

Instead, use one of these options:

1. GitHub private vulnerability reporting (preferred): open the repository on GitHub and use Security → Report a vulnerability if enabled for this repo.
2. Maintainer contact: email or DM maintainers with subject line [SECURITY] owo and include:
   • Description of the issue and potential impact
   • Steps to reproduce or a proof-of-concept
   • Affected versions or commit range, if known

We aim to acknowledge reports within a few business days and coordinate a fix and disclosure timeline with you.

In scope: issues in this repository’s code, packaging, CI configuration, and documented public APIs that could realistically affect users of the library.

Out of scope: third-party services (e.g. LLM providers), social engineering, or physical security — report those to the relevant vendor or authority.

If you make a good-faith effort to follow this policy and avoid privacy violations, destruction of data, or service disruption, we will not pursue legal action against you.