Security fixes are provided for the latest released version of each package (Waffle.Core, Waffle.Bakery, Waffle.ModelProxy). Please make sure you are on the latest version before reporting.

Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, report them privately through GitHub's private vulnerability reporting. This keeps the details confidential until a fix is available.

When reporting, please include as much of the following as you can:

• The affected package(s) and version(s)
• A description of the vulnerability and its impact
• Steps to reproduce, or a proof-of-concept
• Any suggested mitigation, if you have one

• We aim to acknowledge your report within a few business days.
• We will keep you informed as we investigate and work on a fix.
• Once a fix is released, we will publish a security advisory and credit you, unless you prefer to remain anonymous.