The Waymark project aims to treat security issues seriously and respond to well-scoped reports responsibly.
Waymark is currently pre-release software.
At this stage, only the latest development state is in scope. No compatibility or long-term support guarantees are made before a stable release policy is published.
See docs/security/support.md for the full support policy.
Do not report security vulnerabilities in public issues.
Report vulnerabilities privately through the repository's GitHub Security Advisory reporting path:
https://github.com/steadytao/waymark/security/advisories/new
Use that GitHub path only for vulnerability reports.
A report should include:
- a clear description of the issue
- the affected component or behaviour
- the security impact
- reproduction steps or a minimal proof
- relevant environment details
- any important assumptions or preconditions
A valid security report should identify a security-relevant flaw in Waymark itself.
Examples of potentially valid reports include:
- policy enforcement bypass caused by a bug in Waymark
- unintended information disclosure caused by Waymark
- privilege or trust-boundary violations caused by Waymark
- release or verification flaws caused by Waymark
- incorrect security behaviour that contradicts documented guarantees
The following are generally out of scope unless Waymark itself is the root cause:
- unsafe deployments caused solely by operator misconfiguration
- compromised hosts or already-compromised clients
- unrelated third-party infrastructure failures
- generic complaints about DNS as a protocol
- findings that depend entirely on insecure external software outside Waymark's responsibility
Please allow reasonable time for triage, confirmation and remediation before public disclosure.
If a report is valid, the project will aim to acknowledge it, assess impact and coordinate remediation responsibly.
Waymark is intended to be usable in serious managed environments, including enterprise and public-sector contexts but security outcomes depend on the actual deployment model, surrounding controls and operational discipline.
The project should not be treated as making stronger guarantees than its documented boundaries support.