Please report security vulnerabilities privately:

• GitHub Security Advisories on this repository (preferred), or
• Direct contact via https://x.com/Staxxxx17

Do not open public GitHub issues for security-sensitive reports.

We aim to acknowledge reports within 7 days and provide a remediation timeline within 30 days for valid vulnerabilities.

The most recent minor release receives security updates. Older minor releases may be patched on a best-effort basis but are not guaranteed support.

In scope: bugs in released code that affect confidentiality, integrity, or availability of users when the library is used as documented.

Out of scope: third-party dependencies (report upstream), social engineering, denial of service via resource exhaustion when called with adversarial input outside the documented contract, and any use outside the documented scope.

We follow coordinated disclosure: we will work with the reporter to confirm, fix, and release a patched version before public disclosure. Reporters are credited in the changelog unless they request anonymity.