Always upgrade to the latest 1.x release to receive fixes.

1. Do not open a public issue.
2. Submit a private report via GitHub Security Advisories ("Report a vulnerability" button on the repo).
3. Alternatively, email hello@varien.dev with detailed reproduction steps and impact.
4. You will receive acknowledgement within 3 business days. We aim to provide a fix or mitigation plan within 14 days, depending on severity.

When a fix is available, maintainers will coordinate disclosure, publish a patched release, and document remediation steps in the changelog or release notes.