Email [email protected] with: description, impact, repro steps/PoC, suggested mitigation. SLO: acknowledge within 72h, target fix ≤14 days where feasible. PGP available on request.

We maintain main and the latest release line. Critical issues may be backported.

OpenSSF Scorecard, Dependency Review, SBOM (CycloneDX) workflows are enforced in CI.