Security fixes are provided for the latest release and the main branch.
Please do not open public issues for vulnerabilities.
- Open a private security advisory in GitHub Security tab.
- Include impact, reproduction steps, and suggested remediation.
- Expect an acknowledgment within 72 hours.
- We validate and triage severity.
- We prepare a fix and tests.
- We publish release notes with mitigation guidance.
- Webhook signature validation
- Authz/authn middleware
- Data handling and logging paths
- CI/CD and supply chain integrity