31 lines
1.0 KiB
Markdown
31 lines
1.0 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Security fixes are evaluated against the current `main` branch and the latest
|
|
public release. Older snapshots may receive a fix only when the affected code is
|
|
still present in the current release line.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Do not open a public issue with exploit details, credentials, provider tokens,
|
|
local transcripts, or account identifiers.
|
|
|
|
Use GitHub private vulnerability reporting for this repository when it is
|
|
available. If private reporting is not available, open a minimal public issue
|
|
asking for a secure maintainer contact path and do not include technical exploit
|
|
details.
|
|
|
|
Helpful reports include:
|
|
|
|
- Affected version or commit.
|
|
- A concise description of the vulnerable behavior.
|
|
- Reproduction steps using placeholders instead of real credentials.
|
|
- Expected impact and any known mitigations.
|
|
|
|
## Handling
|
|
|
|
Maintainers will acknowledge valid reports, triage severity, prepare a fix on a
|
|
restricted branch when appropriate, and publish public details after a release or
|
|
mitigation is available.
|