We are currently in beta. Security updates are provided for the latest beta release.
| Version | Supported | Status |
|---|---|---|
| 0.1.x | ✅ | Beta - Active development |
| < 0.1.0 | ❌ | Pre-release - No longer supported |
Note: Once we reach 1.0.0 stable, we will provide long-term security support for stable releases.
We use GitHub's private vulnerability reporting.
- Go to the Security tab
- Click "Report a vulnerability"
- Provide detailed information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Time: You should receive a response within 48 hours.
We prefer all communications to be in English.
- Report received - Security issue is reported and acknowledged within 48 hours
- Triage - Issue is confirmed and severity assessed (24-72 hours)
- Fix development - Fix is developed in a private repository
- Testing - Fix is tested thoroughly against the vulnerability
- Advisory - Security advisory is drafted and reviewed
- Release - Patch is released with security fix
- Notification - Users are notified via:
- GitHub Security Advisory
- Release notes
- npm security advisory
- GitHub Discussions announcement
We follow the Common Vulnerability Scoring System (CVSS):
- Critical (9.0-10.0): Immediate patch release
- High (7.0-8.9): Patch within 7 days
- Medium (4.0-6.9): Patch within 30 days
- Low (0.1-3.9): Patch in next regular release
We don't currently have a bug bounty program, but we appreciate responsible disclosure and will:
- Acknowledge security researchers in our release notes
- Credit you in the security advisory (if desired)
- Provide early notification of the fix