If you uncover a security issue with versionize_derive, please write to us on firecracker-security-disclosures@amazon.com.
Once the Firecracker maintainers become aware (or are made aware) of a security issue, they will immediately assess it. Based on impact and complexity, they will determine an embargo period (if externally reported, the period will be agreed upon with the external party).
During the embargo period, maintainers will prioritize developing a fix over other activities. Within this period, maintainers may also notify a limited number of trusted parties via a pre-disclosure list, providing them with technical information, a risk assessment, and early access to a fix.
The external customers are included in this group based on the scale of their versionize_derive usage in production. The pre-disclosure list may also contain significant external security contributors that can join the effort to fix the issue during the embargo period.
At the end of the embargo period, maintainers will publicly release information about the security issue together with the versionize_derive patches that mitigate it.