We currently support the latest minor release series (0.1.x). Security fixes are generally backported at our discretion.

Please report security vulnerabilities privately to [email protected]. Do not open a public issue.

We will:

• Acknowledge receipt within 72 hours
• Provide a status update within 7 days
• Coordinate a fix and disclosure timeline (typically within 90 days)

We will issue a security advisory and update the CHANGELOG.md when a fix is released.