| Version | Support Status | Notes |
|---|---|---|
| v1.x | Active support | Receive security patches |
| v0.x | End of life | No security updates; upgrade required |
- BrainXio GitHub repositories
- GitHub Actions workflows
- MCP servers (
brainxio-agent-*packages) - Published packages: npm (
@brainxio/*), PyPI (brainxio-*), crates.io (brainxio-*)
- Social engineering or phishing attacks
- Denial-of-service attacks
- Third-party services or dependencies (report upstream)
- Vulnerabilities already disclosed via public CVE
Preferred: GitHub Security Advisories
Open a draft advisory at https://github.com/BrainXio/<repo>/security/advisories/new.
Backup: Email Contact github@brainxio.org. Encrypt if possible (PGP key available on keyserver).
What to include:
- Affected repository and version or commit SHA
- Description of the vulnerability
- Steps to reproduce
- Proof-of-concept or exploit (if any)
- Potential impact assessment
Do not open public issues or discuss vulnerabilities publicly until a patch is available.
| Severity | Initial Response | Triage |
|---|---|---|
| Critical | 24 hours | 48 hours |
| High | 48 hours | 5 business days |
| Medium | 5 business days | — |
| Low | 5 business days | — |
Severity is assessed by BrainXio based on CVSS scoring and blast radius.
- Reporter submits via GitHub Security Advisory or email.
- BrainXio acknowledges within the SLA window.
- BrainXio reproduces and validates, requests CVE number if applicable.
- Fix is developed under embargo.
- Patch is released publicly with credit (if agreed).
- Public disclosure occurs only after a fix is available.
- Full public advisory published within 90 days of initial report, regardless of patch status.
Good-faith security research performed in accordance with this policy will not result in legal action by BrainXio.
BrainXio reserves the right to update this policy. Substantive changes will be reflected in this file.