Security Policy
Supported Versions
This project follows the release scheme vMAJOR.CODE.RESOURCE.
| Version Line | Security Updates |
|---|---|
main |
Yes |
v1.x.x |
Yes |
v0.x and older |
No |
Only the latest main branch and current major release line receive active security fixes.
Reporting a Vulnerability
Preferred (Private)
Use GitHub private vulnerability reporting:
Do not open a public issue with exploit details.
If Private Reporting Is Not Available
Open a minimal public issue with title Security Report Request and no technical details. A maintainer will move follow-up to a safer channel.
What To Include
Please include:
- Affected file, component, or script
- Reproduction steps and impact
- Proof of concept (if safe)
- Suggested fix (if available)
- Whether the issue is already public
Response Timeline
- Acknowledgment: within 72 hours
- Initial triage: within 7 days
- Remediation target:
- Critical: 14 days
- High: 30 days
- Medium/Low: next scheduled maintenance release
If timelines change, maintainers will provide updates in the advisory thread.
Disclosure Policy
- Please use coordinated disclosure.
- Do not publish exploit details until a fix or mitigation is released.
- After release, maintainers may publish a security advisory and changelog note.
Scope Notes
In scope:
- Repository code and automation scripts
- GitHub Actions workflows in this repository
- Published search page code under
docs/search/
Out of scope:
- Vulnerabilities only in third-party platforms/services not controlled by this repository
- Social engineering and physical access attacks