Skip to main content

SECURITY.md

# Security Policy

## Reporting a Vulnerability

Report security vulnerabilities via **GitHub Private Vulnerability Reporting**:

<https://github.com/szTheory/parapet/security/advisories/new>

**Do not open a public GitHub issue for security vulnerabilities.** Public issues expose the vulnerability before a fix is available, putting adopters at risk.

## Disclosure Timeline

- **Acknowledgement:** within 3 business days of report receipt.
- **Initial assessment:** within 7 business days — we will confirm whether the report is a valid vulnerability and communicate our initial findings.
- **Fix or mitigation:** coordinated with the reporter; we target 90 days for critical issues and will communicate progress throughout.
- **Public disclosure:** after a fix is available, coordinated with the reporter. We follow responsible disclosure — we will not publish details before a patch is ready.

## Supported Versions

The latest released minor is the supported line. Security fixes are applied to the current release only; older minor versions do not receive backports.

| Version | Supported |
|---------|-----------|
| 1.x (latest) | Yes |
| < 1.0 | No |