Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please do not open public issues for security vulnerabilities.

Report privately to maintainers with:

affected version/commit,
impact,
reproduction steps,
suggested mitigation (if available).

Response expectations

Initial acknowledgment: within 72 hours.
Triage and severity assessment: as soon as possible.
Coordinated disclosure after a fix is available.

Scope

Security reports are prioritized for:

key material handling,
encryption/decryption integrity,
sender trust/pinning logic,
release artifact integrity.

There aren’t any published security advisories