Only the latest released minor version receives security patches.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Do not open a public GitHub issue for security problems.
Report via GitHub Security Advisories. This creates a confidential channel between you and the maintainers.
If the Security Advisories flow is unavailable, email security@bold-minds.com.
- A description of the issue and its impact
- Steps to reproduce or a proof-of-concept
- The version affected
- Your Go version and OS, if relevant
- Any suggested mitigation
- Initial acknowledgement: within 48 hours
- Triage + severity assessment: within 7 days
- Resolution: varies based on complexity, typically within 30 days
You will be credited in the release notes unless you request otherwise.
- We acknowledge receipt of your vulnerability report
- We investigate and validate the vulnerability
- We develop and test a fix
- We coordinate disclosure timing with you
- We release a security update
- We publicly acknowledge your responsible disclosure (if desired)
Security updates will be:
- Released as patch versions
- Documented in CHANGELOG.md
- Announced through GitHub releases
- Tagged with security labels
We appreciate responsible disclosure and will acknowledge security researchers who help improve the security of this project.