Winterbäume is an AWS service emulator intended for use in automated tests and local development. It is not a production service, and it is not a security product. The emulator deliberately accepts unsigned requests, returns canned credentials, and exposes administrative state-mutation endpoints so that test code can drive it. Do not run winterbaume-server on a public network or treat it as a security boundary.

This policy covers vulnerabilities in the Winterbäume codebase itself.

Please use GitHub's private vulnerability reporting to report security issues:

1. Open the repository's Security tab on GitHub.
2. Choose Report a vulnerability.
3. Provide a description, reproduction steps, affected versions or commits, and your assessment of impact.

Do not open a public GitHub issue for security reports, and do not include a working exploit in any public channel before the issue has been triaged.

If GitHub Security Advisories is unavailable to you, open a non-sensitive issue asking for a private reporting channel and we will coordinate from there. Do not include vulnerability details in that initial issue.

Reports are most useful when they describe one of the following:

• A way for a malicious payload received by winterbaume-server to read or modify files outside the server's working directory, execute arbitrary code on the host, or cause the host process to crash via a remotely triggerable panic.
• A way for an attacker controlling the request body to escape the in-memory state isolation between simulated AWS accounts or regions.
• A vulnerability in any third-party crate that Winterbäume re-exposes through its public API in a way that meaningfully amplifies the issue beyond the upstream advisory.
• Supply-chain or build-script issues, including malicious or unexpected behaviour in tools/, crates/, or generator code that runs during cargo build, cargo test, or release packaging.

The following are not considered vulnerabilities and will be closed without action:

• The fact that winterbaume-server accepts unsigned AWS SDK requests by default. This is the design.
• The fact that the emulator returns deterministic, well-known mock credentials (for example AKIAIOSFODNN7EXAMPLE) and a fixed account ID. These are documented test fixtures.
• The fact that handlers do not enforce IAM, signature verification, KMS cryptography, or other AWS-side security controls that the real services enforce. Winterbäume only simulates control-plane behaviour relevant to integration testing.
• Reports generated by automated scanners against publicly documented test fixtures, mock PEM material, or example credentials in the repository.
• Resource exhaustion via unbounded request bodies sent to a locally bound server. Run the server only on trusted local interfaces.

Only the latest published version of each winterbaume-* crate is supported. Fixes are released as new versions; older versions will not receive backports unless explicitly noted in the release notes.

Winterbäume is maintained on a best-effort basis. We will acknowledge receipt of a valid report and work toward a fix, but we cannot commit to a fixed response timeline. Once a fix is available, we will coordinate disclosure through the same GitHub Security Advisory.