The package is under active development, so security updates will be coming steadily while in 0.*

This policy will be updated once we hit 1.0.0

We use GitHub's private reporting: Privately reporting a security vulnerability.

In short, go to the Security tab and into Advisories.