We currently maintain the latest stable version of this project. Older versions may not receive security updates.

We take security seriously in this project. If you discover a vulnerability, we strongly encourage you to report it in a responsible manner.

Please open a Security Advisory to report any vulnerabilities.

We will acknowledge your report within 5 working days. For confirmed vulnerabilities, we aim to provide a full disclosure and patch within 14 days, depending on the complexity and impact.

Please do not report security issues publicly before we have had a chance to investigate and address them.

This project follows these practices:

• ✅ Dependencies are scanned automatically using GitHub Dependabot.
• ✅ Code is scanned weekly using GitHub Advanced Security and a GitHub Actions analysis tool (CodeQL and OSSF Scorecard).
• ✅ Branch protection is enabled with required status checks for Pull-Requests.
• ✅ Changes are reviewed via Pull-Requests with multiple maintainers.

We follow a Coordinated Disclosure approach:

• You notify us privately of the issue.
• We confirm and fix the issue internally.
• A fix is released and a public disclosure is made (if necessary).

Releases are signed with GPG. Verification instructions are provided in the release notes.

Thank you for helping us keep the project and our users safe.