Please report potential vulnerabilities by email:

• whenhow94@qq.com
• Subject suggestion: [baymax-security] <short summary>
• Do not create a public issue for unpatched vulnerabilities.

This process covers vulnerabilities in:

• Runtime packages and adapters in this repository.
• Build/test scripts and CI workflows that affect supply-chain safety.

This is a personal project in pre-1.x stage. Reports are handled on a best-effort basis, with no guaranteed response or remediation timelines.

Maintainers will attempt to:

• Confirm receipt.
• Triage severity and impact.
• Prepare fix/mitigation when feasible.
• Publish disclosure notes when appropriate.

1. Receive report through the security email channel.
2. Triage and classify severity.
3. Prepare fix and validation.
4. Coordinate disclosure timing with reporter.
5. Publish advisory and release notes/changelog entry.

Security fixes are prioritized for the latest minor line. Backports to older minors are best-effort and evaluated case by case.