1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Security Policy
## Supported Versions
Until a 1.0 release, security fixes land on the latest published minor and are
not backported to earlier `0.x` versions.
| Version | Supported |
| -------- | --------- |
| 0.13.x | ✅ |
| < 0.13 | ❌ |
## Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security issue:
1. **Do not** open a public GitHub issue
2. Email security concerns to the maintainers via GitHub's private vulnerability reporting
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
## Response Timeline
- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 5 business days
- **Patch target**: Within 90 days
## Dependency Security
We use `cargo audit` in CI to scan for known vulnerabilities in dependencies.
## Secret Scanning
We use [gitleaks](https://github.com/gitleaks/gitleaks) in CI to detect accidentally committed secrets, API keys, and credentials.