Security updates are provided only for the latest released version.

Do not open public GitHub issues for security vulnerabilities.

Report security issues responsibly using one of the following methods:

• GitHub Security Advisories (preferred)
• Email: security@slxca.com

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Affected versions
• Proof of concept (if available)

1. Report received and acknowledged within 72 hours.
2. Vulnerability triaged and validated.
3. Fix developed and tested.
4. Coordinated disclosure via GitHub Security Advisory.
5. Patch released.

In scope:

• Source code in this repository
• Official releases and containers
• Configuration defaults

Out of scope:

• Third-party dependencies (report upstream)
• Misconfiguration by end users
• Denial of service via resource exhaustion

Security fixes are released as soon as reasonably possible. No backporting to unsupported versions.

Responsible disclosure will be credited unless anonymity is requested.