Security fixes are prioritized for:

• Latest stable release
• Previous patch line when feasible

Please use GitHub Security Advisories (private reporting) when possible.

If private reporting is unavailable, open a minimal public issue without exploit details and request private follow-up.

• Initial triage: within 3 business days
• Severity assessment and mitigation plan: within 7 business days
• Patch timing: depends on severity and reproducibility

In scope:

• Capture/Timeline local processing pipeline
• Update/install flow integrity
• Data-at-rest handling in local storage
• Permission and automation boundaries

Out of scope:

• Local compromise where attacker already has root/admin access
• Unsupported forked distributions not built from this repository