Security fixes are prioritized for the latest released version on main.

Please report vulnerabilities privately using one of these channels:

1. GitHub Security Advisory (preferred): use "Report a vulnerability" in the repository Security tab.
2. If Security Advisories are unavailable, open a private contact request with maintainers in the organization.

Do not open a public issue for suspected vulnerabilities.

Please include:

1. Affected version/tag and deployment mode (CLI, CI gate, admission webhook).
2. Reproduction steps or proof-of-concept.
3. Impact assessment (confidentiality/integrity/availability).
4. Any relevant logs, certificate IDs, and traces.

Best-effort targets:

1. Initial triage response within 3 business days.
2. Severity assessment and remediation plan within 7 business days.
3. Coordinated disclosure timeline agreed with the reporter.

Once fixed, maintainers will publish a release note including:

1. Affected versions.
2. Mitigation/upgrade guidance.
3. Credit to reporter (if requested).