TNT currently supports security fixes for the latest published release and the current main branch.

This policy will become stricter after TNT has a longer stable release history.

Do not open a public issue for a security vulnerability.

Report privately through one of these paths:

• GitHub private vulnerability reporting, when available on the repository
• email: contact@m1ng.space

Include:

• affected version or commit
• operating system and deployment shape
• reproduction steps or proof of concept
• expected impact
• whether the issue is already public

The maintainer will try to acknowledge valid reports within 7 days. Fixes may land on main before a release is published. For serious issues, the release notes will mention the security impact after users have a reasonable upgrade path.

In scope:

• remote crashes or memory-safety bugs
• authentication or access-token bypass
• unintended file writes outside TNT_STATE_DIR
• privilege escalation in packaged service configuration
• release artifact tampering or installer verification bypass

Out of scope:

• denial of service from an operator intentionally disabling rate limits
• identity spoofing in the documented anonymous-access mode
• vulnerabilities requiring local administrator access to the host

Release binaries are published with checksums.txt. The installer verifies the selected binary against that file before installation. Future releases should add a detached signature for checksums.txt before package recipes are submitted to public registries.