We provide security updates for the current minor line. While we are in 0.x, we support the latest 0.x release.

After we reach 1.0, we will support the latest major and previous major line with security fixes.

Do not report security vulnerabilities in public issues.

• Where to report: Open a GitHub Security Advisory for this repository, or email the maintainers if you need a private channel (see CONTRIBUTING.md or repo description for contact).
• What to include: Description of the vulnerability, steps to reproduce, and impact. If you have a suggested fix, you can include it.
• What to expect: We aim to acknowledge within 5 business days. If we accept the report, we will work on a fix and coordinate disclosure. If we decline, we will explain why.
• Recognition: We are happy to credit you in the advisory and release notes unless you prefer to remain anonymous.