See doc/SECURITY.md for the full policy — supported versions, vulnerability disclosure process, and fixed-vulnerability history.
To report a vulnerability privately, use GitHub Private Vulnerability Reporting. Do not open a public issue for security reports.