We generally support the latest minor version of usql-mcp. Security fixes are released as patch versions on top of the latest published release.

If you discover a security vulnerability, please report it privately. Do not open a public issue.

1. Navigate to the repository’s Security → Advisories tab and create a draft advisory.
2. Include as much detail as possible: steps to reproduce, expected and actual behaviour, and any proof of concept if available.
3. We will acknowledge receipt within 3 business days, provide an initial assessment within 10 business days, and keep you updated as we work on a fix.

Once a fix is ready we will coordinate a disclosure timeline with you, publish a security advisory, and release a patched version.

Thank you for helping keep the project and its users secure.