# Security Policy

## Reporting A Vulnerability

Please do not open a public issue for suspected security vulnerabilities.

Report them privately through GitHub's security advisory flow for this
repository if it is enabled. If private reporting is unavailable, contact the
maintainer directly before publishing details.

Include:

- A concise description of the issue
- Affected versions or commit range
- Reproduction steps or proof of concept
- Expected impact
- Any suggested mitigation if you already have one

## Response Expectations

This is a small maintained project, so response time is best-effort. Reports
that are clear, reproducible, and scoped to this repository will be easier to
triage quickly.