This project is currently in the 0.1.x line. Security fixes will be applied on the latest development branch and released forward from there.
Do not report undisclosed vulnerabilities in public issues or discussions.
Send a private report that includes:
- affected component or endpoint
- reproduction steps or proof of concept
- impact assessment
- any suggested mitigation or patch direction
Until a dedicated security contact is published, use a private maintainer channel that is not publicly indexed and include HexShare security report in the subject.
- initial acknowledgement target: 5 business days
- triage and severity assessment target: 10 business days
- fix timeline depends on impact, exploitability, and release coordination with dependent deployments
Please allow time for validation, remediation, and coordinated release before public disclosure.