Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in carapace, please report it privately.

Preferred channel: GitHub Private Vulnerability Reporting
https://github.com/puremachinery/carapace/security/advisories/new

If the advisory form is unavailable, open a public issue titled Security Contact Request with no vulnerability details so we can move the report to a private channel.

What to include:

• Description of the vulnerability
• Steps to reproduce
• Affected versions (or "latest master")
• Impact assessment if you have one

What to expect:

• Acknowledgment within 48 hours
• A fix or mitigation plan within 7 days for critical issues
• Credit in the release notes (unless you prefer anonymity)

Please do not post vulnerability details in a public GitHub issue.

Supported Versions

Only the latest release on the master branch is actively maintained.

Security Architecture

See docs/security.md for the full threat model, trust boundaries, and implementation details.