| Version | Supported |
|---|---|
| latest (main) | Yes |
| Older releases | No |
Only the latest release on main receives security updates.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please use one of these channels:
- GitHub Private Vulnerability Reports — preferred. Go to the Security tab and submit a private advisory.
- Email — send details to security@foundryworks.com.
- Description of the vulnerability
- Steps to reproduce
- Affected component(s) and version(s)
- Potential impact assessment
- Suggested fix (if you have one)
| Stage | SLA |
|---|---|
| Acknowledgment | 72 hours |
| Initial assessment | 7 days |
| Fix or mitigation | 90 days |
We will keep you informed of our progress throughout the process.
There is no formal bug bounty program at this time. We deeply appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).
We ask that you:
- Give us reasonable time to address the issue before public disclosure
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption during testing
- Do not access or modify data belonging to other users
We commit to:
- Acknowledging your report promptly
- Working with you to understand and resolve the issue
- Crediting you (if desired) when the fix is released