Only the latest release receives security fixes. We do not backport patches to older versions.
Do not open a public issue for security bugs.
Use GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Provide a clear description, reproduction steps, and impact assessment
If you cannot use GitHub's reporting, email hello@prim.sh.
| Stage | Target |
|---|---|
| Acknowledge report | 48 hours |
| Triage and severity assessment | 7 days |
| Patch for critical issues | 30 days |
| Patch for non-critical issues | 90 days |
We will keep you informed of progress throughout the process.
The following are not considered security vulnerabilities:
- Rate limiting behavior on faucet.sh (testnet faucet is intentionally open with per-address limits)
- Known limitations of the x402 payment protocol itself (report these to x402)
- Denial-of-service via high request volume (this is an operational concern, not a vulnerability)
- Issues requiring physical access to the server
- Social engineering attacks
- Spam or abuse of free-tier endpoints
We follow coordinated disclosure:
- Reporter submits privately
- We confirm, triage, and develop a fix
- We release the patch and publish an advisory
- Reporter is credited in the release notes (unless they prefer anonymity)
Please allow us reasonable time to address the issue before any public disclosure.