# Security Policy
## Supported versions
Only the latest released version is supported with security fixes.
## Reporting a vulnerability
Please report suspected vulnerabilities privately through GitHub Security Advisories, or by emailing the maintainer listed in the repository.
Do not publish a public issue for a suspected vulnerability until maintainers have had a reasonable opportunity to investigate and release a fix.
## Production guidance
- Always sign challenges with `ALTCHA_HMAC_SECRET`.
- Use short expirations, for example 5 to 10 minutes.
- Store used challenge signatures/nonces server-side and reject replays.
- Bind challenge metadata to the expected action, for example `--data action=register`.
- Never trust challenge fields submitted by the browser unless `verify` or `verify-payload` succeeds.