During the v1.0 development cycle, only the latest tagged release receives security fixes.

Please use the project's private contact method rather than a public issue.

Expect an initial acknowledgement within one week. Critical issues will be fixed in a patch release; coordinated disclosure is welcome.