# Security Policy
## Reporting a Vulnerability
Report security vulnerabilities via **GitHub Private Vulnerability Reporting**:
<https://github.com/szTheory/parapet/security/advisories/new>
**Do not open a public GitHub issue for security vulnerabilities.** Public issues expose the vulnerability before a fix is available, putting adopters at risk.
## Disclosure Timeline
- **Acknowledgement:** within 3 business days of report receipt.
- **Initial assessment:** within 7 business days — we will confirm whether the report is a valid vulnerability and communicate our initial findings.
- **Fix or mitigation:** coordinated with the reporter; we target 90 days for critical issues and will communicate progress throughout.
- **Public disclosure:** after a fix is available, coordinated with the reporter. We follow responsible disclosure — we will not publish details before a patch is ready.
## Supported Versions
The latest released minor is the supported line. Security fixes are applied to the current release only; older minor versions do not receive backports.
| Version | Supported |
|---------|-----------|
| 1.x (latest) | Yes |
| < 1.0 | No |