# Security Policy

## Supported Versions

Until OpenCandle reaches `1.0.0`, security support is limited to the latest pre-1.0 release line.

| Version | Supported |
| ------- | --------- |
| Latest `0.x` release | Yes |
| Older pre-1.0 releases | No |
| Unreleased local forks | No |

## Reporting a Vulnerability

Do not open public GitHub issues for security vulnerabilities.

Use GitHub Security Advisories or the repository's private vulnerability reporting channel to report suspected vulnerabilities to the maintainers.

When reporting an issue, include:

- affected version or commit
- impact summary
- reproduction steps or proof of concept
- any suggested mitigation if known

Maintainers will acknowledge valid reports, investigate them privately, and coordinate a fix and release before public disclosure when practical.