We take the security of VoidCode seriously. If you discover a potential vulnerability, please report it privately rather than opening a public issue.
VoidCode is currently pre-MVP. At this stage, security fixes are only supported for the latest code on the master branch.
| Version | Supported |
|---|---|
master |
✅ |
| pre-MVP historical revisions | ❌ |
Do not report security-sensitive issues through public GitHub issues.
Please use GitHub's private vulnerability reporting flow:
When possible, include:
- the affected component (for example: runtime, CLI behavior, or a specific tool)
- a description of the issue and its impact
- reproduction steps, sample input, configuration, or proof-of-concept details
- environment details such as OS, Python version, Bun version, and the affected commit hash
After receiving a report, we will:
- acknowledge receipt and perform an initial review
- assess the severity and priority
- work on a private fix and validate it
- release the fix according to the project's maintenance cadence and publish a security advisory when appropriate
Please keep vulnerability details private until a fix has been prepared and disclosed responsibly.
We do not currently run a formal bug bounty program, but we appreciate responsible disclosure and the help of security researchers and contributors.
For non-security contributions, see CONTRIBUTING.md.