We generally support (and backport critical fixes to) the latest minor release. Earlier versions may receive fixes on a best-effort basis.

Please email security@rulehub.io with:

• A descriptive title
• Affected version(s) (git SHA or npm version)
• Reproduction steps / proof of concept
• Impact assessment (what could an attacker achieve)

You will receive an acknowledgement within 3 business days. We aim to provide an initial remediation plan or timeline within 10 business days.

Do not create a public GitHub issue for security vulnerabilities prior to coordinated disclosure. After a fix, we will publish a release and reference the issue in the CHANGELOG.

1. Triage & confirm.
2. Determine severity & scope.
3. Develop fix + tests.
4. Release patched version.
5. Publicly disclose (CHANGELOG + advisory if warranted).

Thank you for responsibly disclosing issues and helping keep the community safe.