This document describes how security vulnerabilities related to the PIC Protocol implementation are handled.
Only the latest stable release is supported for security updates at any given time.
Earlier versions are provided for reference only and are not maintained.
Security issues must be reported privately.
Please use GitHub Security Advisories:
https://github.com/pico-protocol/pic-rs/security/advisories/new
Do not open public issues for security vulnerabilities.
We consider vulnerabilities that could compromise the:
- confidentiality,
- integrity,
- or availability
of this implementation or its users.
We aim to:
- acknowledge reports within 5 business days,
- provide an assessment or resolution within 30 days, when feasible.
Timelines may vary depending on severity and complexity.
We are happy to publicly acknowledge security reporters in release notes unless anonymity is requested.
Security response and coordination are handled by Nitro Agility S.r.l.
This security policy is provided for informational purposes only.
Nothing in this document creates any obligation, warranty, or liability for:
- Nitro Agility S.r.l.
- The PIC Model creator (Nicola Gallo)
- Project maintainers or contributors
Specifically:
- There is no obligation to respond to any report within any timeframe
- There is no obligation to fix, patch, or remediate any reported issue
- There is no obligation to provide support, updates, or maintenance
- There is no warranty that any issue will be addressed
Response timelines stated above are goals, not commitments.
All security matters are handled at the sole discretion of Nitro Agility S.r.l.
This policy may be changed at any time without notice.