# Security Policy

## Support Policy

Security fixes are developed and merged to the default branch (`main`) on a rolling basis.

| Channel | Security fixes |
| --- | --- |
| `main` (default branch) | Yes |
| Other branches/commits | Not actively maintained for security |

## Reporting a Vulnerability

Do not report security vulnerabilities via public GitHub issues.

Report vulnerabilities privately using one of these channels:

1. GitHub private vulnerability reporting (Security Advisories): if enabled, use the repository Security tab and choose "Report a vulnerability".
2. Email: security@conxian-labs.com

We aim to acknowledge receipt within 48-72 hours.