We take security seriously. This document explains how to report vulnerabilities and which versions are supported.
The project follows a rolling release model for the main branch. The minimum supported toolchain is {{MIN_SUPPORTED_VERSIONS}}. Versioned releases, if any, will be listed here with support windows.
| Version | Supported |
|---|---|
| main | Yes |
| x.y.z | TODO |
- Email: {{CONTACT_EMAIL}}
- Optional PGP key: {{SECURITY_PGP_KEY_URL}}
Please include:
- Affected version(s) and environment
- Reproduction steps or proof of concept
- Impact assessment and suggested mitigations
We aim to acknowledge reports within 2 business days and provide a timeline for remediation after triage.
We prefer coordinated disclosure. We will keep all reports confidential, apply fixes, and publish security advisories when appropriate.
- We use lockfiles where applicable and encourage pinning dependencies.
- Dependabot (or equivalent) may be enabled to monitor vulnerabilities.