Do NOT open a public GitHub issue for security vulnerabilities.
Email: security@example.invalid
Replace before public release — substitute the actual security team alias before this repository is published.
We follow a 90-day coordinated disclosure timeline:
- You report a vulnerability privately to the address above.
- We acknowledge receipt within 48 hours.
- We assess severity within 5 business days and send an initial response including our target fix date.
- We work with you on a fix. If a patch ships before 90 days, we coordinate the public disclosure date with you.
- At 90 days from your initial report, you are free to disclose publicly regardless of whether a patch is ready. If a patch ships early we may request an earlier public date.
We do not retaliate against researchers who report in good faith and follow this policy.
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PLACEHOLDER — replace with real key before public release]
-----END PGP PUBLIC KEY BLOCK-----
Fingerprint: REPLACE_WITH_REAL_FINGERPRINT
| Version | Supported | Notes |
|---|---|---|
| 0.1.x | Yes | Active alpha — patches issued as needed |
| < 0.1 | No | Pre-release snapshots, unsupported |
Only the latest patch release within a supported minor receives security fixes. We do not backport to older minor versions during alpha.
- Remote code execution or privilege escalation via the API surface
(
/v1/remember,/v1/bias,/v1/forget,/v1/certificate,/v1/export) - Authentication/authorisation bypass (JWT validation, tenant isolation)
- Cryptographic flaws in forgetting certificates (Ed25519 JWS)
- SQL injection or data exfiltration through Postgres storage layer
- Secrets leaked via logs, error messages, or API responses
- Supply-chain issues in pinned dependencies (CVEs in
pyproject.tomldeps) - GDPR Art. 17 erasure bypass — if a DELETE
/v1/forgetsucceeds but data persists, that is a critical security issue - Container image vulnerabilities that allow host escape
- Vulnerabilities in infrastructure you operate (your cloud, your K8s cluster)
- Denial-of-service issues without demonstrable memory/data impact
- Rate-limit bypass without data exfiltration consequence
- Issues reproducible only with physical access to the host
- Findings from automated scanners with no proof-of-concept or impact analysis
- Social engineering of project maintainers
| Day | Milestone |
|---|---|
| 0 | Report received |
| 2 | Acknowledgement sent |
| 5 | Severity assessment + target date communicated |
| ≤ 90 | Patch released and CVE filed (if applicable) |
| 90 | Public disclosure regardless of patch status |
There is no paid bug bounty for v0.1. We offer acknowledgement in the release notes and CHANGELOG. A bounty program may be introduced at v1.0.