Security fixes are applied to the latest default branch (main). Older snapshots and historical tags are not guaranteed to receive patches.

Do not open public issues for suspected vulnerabilities.

Please report security findings privately to the maintainers with:

• affected component and file path(s),
• reproduction steps,
• impact assessment,
• any proof-of-concept details needed for validation.

If encrypted contact is required, request a secure channel in your first message and a maintainer will provide one.

Maintainers aim to:

1. acknowledge receipt within 72 hours,
2. validate and triage severity,
3. prepare and test a fix,
4. coordinate disclosure timing with the reporter,
5. publish remediation details once users can safely patch.

For this repository, sensitive surfaces include:

• adapter integrations and external service credentials,
• release artifacts and checksum verification paths,
• CI workflows and secret handling in .github/workflows/.

Reports involving accidental secret exposure should include immediate revocation guidance where applicable.