Do not report security vulnerabilities through public GitHub issues.
Use GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form
If that's unavailable, email: kr.adarsh002@gmail.com
- Acknowledgment: within 3 business days
- Initial assessment: within 14 days
- Disclosure timeline: coordinated, typically 90 days from report
| Severity | Patch SLA |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 60 days |
| Low | Next minor release |
Cairn is pre-1.0. Only the main branch receives security updates until the first stable release.
- Vulnerabilities in vendored dependencies (report upstream)
- Issues requiring physical access
- Social engineering