We take security seriously. If you believe you have found a security vulnerability in kaos-graph, please report it privately so we can address it before public disclosure.

Please do not file a public GitHub issue for security reports.

Use GitHub Private Vulnerability Reporting to send a report. Alternatively, email security@273ventures.com.

Include as much of the following as you can:

• A description of the vulnerability and its impact
• Steps to reproduce, including affected versions
• Any proof-of-concept code, if available
• Suggested mitigations, if you have any

• Acknowledgement — within 3 business days of your report.
• Initial triage — within 7 business days, including a severity assessment.
• Fix and disclosure — coordinated with you. Our target window is 90 days from acknowledgement to public disclosure, faster for high-severity issues.
• Credit — we credit reporters in the release notes and security advisory unless you prefer to remain anonymous.

kaos-graph follows Semantic Versioning. While the project is pre-1.0, only the latest minor release receives security fixes. After 1.0, the latest two minor releases will be supported.

In-scope:

• The kaos-graph Python package as published on PyPI
• The 273v/kaos-graph GitHub repository (CI, release, supply chain)
• The Rust crate kaos-graph (FFI safety, panic-vs-exception conversion, PyO3 binding correctness)

Out of scope:

• Third-party dependencies (report to the upstream project — petgraph, oxrdf/oxrdfio, pyo3, pyoxigraph)
• Issues caused by user-supplied configuration that explicitly disables safety features (e.g., loading untrusted RDF without size caps via the optional kaos-graph-serve HTTP exposure)