SR8 security controls and automation are documented in docs/security.md.

Current supported line:

• 1.x

If your finding could expose users, maintainers, or supply-chain integrity:

1. Use GitHub private vulnerability reporting (Security Advisories) for this repository.
2. Include impact, reproduction details, and affected versions.
3. Avoid posting exploit details in public issues before a fix is available.

If private advisory reporting is not available in your context, open a minimal public issue and request a secure contact path without disclosing exploit details.

• Acknowledge receipt as soon as practical.
• Reproduce and assess scope.
• Land a fix with tests.
• Publish a patched release through the release workflow.
• Share advisory details after remediation is available.