We take the security of bounded-systems projects seriously.

Do not open a public issue for security reports. Instead, use GitHub's private vulnerability reporting:

1. Go to the affected repository's Security tab → Report a vulnerability.
2. Describe the issue, affected versions, and a reproduction if possible.

We aim to acknowledge reports within 3 business days and to provide a remediation timeline after triage. Coordinated disclosure is appreciated; please give us a reasonable window to ship a fix before any public disclosure.

Security fixes target the latest released version on the default branch unless otherwise noted in a repository's own SECURITY.md.