We actively support the following versions of SpecificationKit with security updates:
| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| 2.x.x | ✅ |
| < 2.0 | ❌ |
If you discover a security vulnerability in SpecificationKit, please report it responsibly:
For critical security vulnerabilities that could affect users' applications:
- Do NOT create a public GitHub issue
- Email security reports to: egor.merkushev@yandex.ru
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
For lower-severity security concerns:
- Create a GitHub issue with the
securitylabel - Provide detailed information about the concern
- Follow responsible disclosure practices
SpecificationKit is designed with thread safety in mind:
- All public APIs are concurrency-safe
- Context providers use appropriate synchronization
- Property wrappers handle concurrent access safely
- All specifications are memory-safe by design
- No unsafe operations in the public API
- Proper resource management for context providers
- Specifications validate input parameters appropriately
- Context providers sanitize external data
- Macro implementations include proper validation
- Critical vulnerabilities: Response within 24 hours, fix within 7 days
- High severity: Response within 72 hours, fix within 14 days
- Medium/Low severity: Response within 1 week, fix in next release
Security updates will be released as patch versions and communicated through:
- GitHub Security Advisories
- Release notes
- Package manager updates
Thank you for helping keep SpecificationKit secure!