Please do not create a public Issue for security problems. Instead, email us at me@apocalix.dev or use GitHub Security Advisories to submit a private report.
Include:
- Affected versions/commit SHA
- Environment (OS, runtime, versions)
- Reproduction steps, PoC, and impact
- Any possible mitigations
We will acknowledge receipt within 72 hours, provide an initial assessment within 7 days, and aim to release a fix or mitigation within 14–30 days depending on severity and scope.
Security issues that affect the confidentiality, integrity, or availability of users or data in this project (code, build chain, release artifacts, and deployed configurations for official demos).
Out of scope examples: social engineering against maintainers, vulnerabilities exclusively in third-party dependencies unless our default configuration makes them exploitable.
- We prefer coordinated disclosure. Please give us reasonable time to investigate and remediate before public disclosure.
- After a fix is released, we’ll credit reporters in the release notes unless you request otherwise.
We support the latest release. If we maintain LTS branches, they will be listed here with end-of-support dates.
| Version | Supported |
|---|---|
| latest | ✅ |
At our discretion we may request a CVE (or GHSA ID) for high-impact issues once a fix is available.