Only the latest release is supported with security updates.

Do not open a public issue for security vulnerabilities.

Please report vulnerabilities through GitHub's private security advisory feature.

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix or mitigation: best effort, depending on severity

The following are considered security issues:

• Remote code execution
• Command injection
• Credential or token leakage
• Path traversal
• Unauthorized access to resources

The following are intentional behaviors and not security issues:

• HTTP connections to local/private addresses: no defaults to HTTPS for remote hosts but allows HTTP for localhost and private network addresses (127.x, 10.x, 172.16-31.x, 192.168.x). This is by design for testing local services.
• User-specified HTTP URLs: when a user explicitly provides an http:// URL, no respects their choice. Users are expected to understand the implications.
• Display of response data: no displays server responses as-is, including headers and body content. This is core functionality.