The current support policy is:
| Version Range | Security Support |
|---|---|
1.x |
Supported on a best-effort basis |
<1.0 |
Not supported |
Please do not report security vulnerabilities through public GitHub issues or pull requests.
If you have a private maintainer contact channel, use it. If you do not, open a minimal public issue requesting a secure reporting path and do not include exploit details, proof-of-concept code, secrets, or sensitive environment information.
When reporting a vulnerability, include:
- affected package version
- affected module or file
- vulnerability type and impact
- clear reproduction steps
- any known mitigations or workarounds
Once a report is received, maintainers should:
- acknowledge receipt as soon as practical
- confirm the affected versions and impact
- prepare and review a fix
- coordinate a release and changelog entry
- disclose the issue publicly after users have a reasonable upgrade path
This policy applies to:
- code in
cap/ - examples in the repository
- packaging and release metadata for the published SDK
It does not automatically cover third-party services or deployments that embed this package unless the vulnerability is caused by this repository itself.