Security updates are applied to the latest master release line.

Please do not open public GitHub issues for security reports.

Send a report to security@stateset.com with:

1. A clear description of the issue and impact.
2. Reproduction steps or proof-of-concept.
3. Affected version/commit and environment details.
4. Any suggested remediation.

1. Initial acknowledgment: within 2 business days.
2. Triage and severity assignment: as soon as reproducibility is confirmed.
3. Fix timeline: based on severity and exploitability.
4. Coordinated disclosure: after patch availability.