⚠️ OATH is pre-release software — do not use it in production. No versions have been released yet, and the API is unstable.

Only the main branch is supported. There are no released versions, so security fixes land on main and are not backported.

Please report security vulnerabilities through GitHub's private vulnerability reporting:

1. Open the repository's Security tab.
2. Click Report a vulnerability.
3. Fill in the advisory form with as much detail as you can — affected crate, reproduction steps, and impact.

This keeps the report private until a fix is ready. Please do not open a public issue for security-sensitive reports.

OATH is maintained by a single person on a best-effort basis, so response times vary. You can expect an acknowledgement once the report has been read, and coordination through the private advisory thread until the issue is resolved or declined. There is no formal SLA at this stage.