If you discover a security vulnerability in Haven SDK, please report it responsibly by emailing:
Do not open a public GitHub issue for security-related bugs.
The following are considered in-scope for vulnerability reports:
- All packages under
packages/(core, store, cli, plugin-*) - Build and publish pipeline configuration (
turbo.json,tsconfig.*.json) - Dependency confusion or supply-chain risks in published npm packages
The following are explicitly out of scope:
- Vulnerabilities in third-party model provider APIs (OpenAI, Anthropic, etc.)
- Issues in dependencies that are already tracked upstream (report to the upstream maintainer)
- Denial-of-service attacks requiring physical access or privileged network positions
| Step | Expected Time |
|---|---|
| Acknowledgment of report | Within 48 hours |
| Initial triage and severity assessment | Within 5 business days |
| Fix or mitigation plan communicated | Within 10 business days |
| Patch released | As soon as practical, based on severity |
- We ask that reporters give us 90 days to address an issue before public disclosure.
- We will credit reporters (with permission) in release notes and security advisories.
- Critical vulnerabilities will receive a CVE through GitHub Security Advisories when applicable.
Only the latest published version of each package is actively supported. Please ensure you are running the most recent release before reporting.