# Security Policy

## Supported versions

The project is maintained on the `main` branch. Security fixes are expected to land there first.

## Reporting a vulnerability

Do not open a public GitHub issue for an unpatched security vulnerability.

Prefer GitHub's private vulnerability reporting for this repository when it is available.

If private reporting is not available, contact the maintainer privately before public disclosure.

Include:

- A clear description of the issue
- Impact and affected area
- Reproduction steps or proof of concept
- Any proposed mitigation

## Response expectations

- We will acknowledge receipt as soon as practical.
- We may ask for clarification or a private reproduction.
- Public disclosure should wait until a fix or mitigation is available.