codechu-term is a pure-stdlib terminal-capability library. Its public functions read environment dicts, inspect stream isatty(), and emit ANSI escape sequences. No network I/O, no subprocess, no deserialization. The attack surface is intentionally small.

Pre-1.0.0 — only the latest minor receives security fixes.

Open a private advisory at github.com/codechu/codechu-term-py/security/advisories/new.

Write to security@codechu.com.

In scope:

• Inputs that crash a public function for plausible env / stream values (uncaught exceptions).
• Escape-sequence injection — any path where caller-supplied data is emitted as part of a CSI/OSC sequence without being treated as opaque text.
• Resource exhaustion — bounded-time helpers must stay bounded.

Out of scope:

• Terminal emulators that misinterpret valid ANSI sequences.
• Windows behaviour (POSIX-first library).

Reports are reviewed on a best-effort basis — no fixed SLA. We aim for coordinated disclosure within 90 days of the report.

Public disclosure is coordinated after the fix is released.

Once a confirmed fix is released:

• A summary is added to the CHANGELOG under the ### Security category.
• A GitHub Security Advisory is published.
• If a CVE was assigned, its number is referenced.