We actively support the following versions with security updates:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. GitHub Security Advisories (Preferred)

   • Go to the Security Advisories page
   • Click "New draft security advisory"
   • Fill in the details and submit

2. Email

   • Send details to the repository maintainers
   • Include "SECURITY" in the subject line

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Impact: The potential impact of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Versions: Which versions are affected
• Suggested Fix: If you have one (optional)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Resolution Timeline: We aim to resolve critical issues within 30 days
• Credit: We will credit reporters in the security advisory (unless you prefer to remain anonymous)

This security policy applies to:

• The basanos Python package and its public API
• GitHub Actions workflows provided by this repository
• Shell scripts and utilities in .rhiza/

The following are generally out of scope:

• Vulnerabilities in upstream dependencies (report these to the respective projects)
• Issues that require physical access to a user's machine
• Social engineering attacks
• Denial of service attacks that require significant resources

This project implements several security measures:

• CodeQL: Automated code scanning for Python and GitHub Actions
• Bandit: Python security linter integrated in CI and pre-commit
• pip-audit: Dependency vulnerability scanning
• Secret Scanning: GitHub secret scanning enabled on this repository

• SLSA Provenance: Build attestations for release artifacts (public repositories only)
• Locked Dependencies: uv.lock ensures reproducible builds
• Dependabot: Automated dependency updates with security patches (version and security updates)
• Renovate: Additional automated dependency update management

• OIDC Publishing: PyPI trusted publishing without stored credentials
• Signed Commits: GPG signing supported for releases
• Tag Protection: Releases require version tag validation

To give users adequate time to adapt to breaking changes, we follow this policy:

• A feature or API is deprecated in release 0.x by emitting a DeprecationWarning via basanos.warn_deprecated.
• The deprecated feature is removed no earlier than release 0.x+2.
• Any bump to _SAVE_FORMAT_VERSION in BasanosStream (i.e. a breaking change to the serialised stream format) is treated as a deprecation event: the old format is still loadable with a DeprecationWarning for at least two minor releases.
• Breaking changes are listed in CHANGELOG.md under the ### Deprecated heading and noted in the GitHub release notes.
• SECURITY.md (this file) must be updated as part of the release checklist whenever a new minor version becomes the supported release.

When using basanos in your projects:

1. Keep Updated: Upgrade to the latest supported minor release promptly
2. Watch for DeprecationWarnings: Run your tests with python -W error::DeprecationWarning to surface any use of deprecated APIs before they are removed
3. Enable Security Features: Enable CodeQL, secret scanning, and Dependabot in your repositories
4. Use Locked Dependencies: Always commit uv.lock for reproducible builds
5. Configure Branch Protection: Require PR reviews and status checks

We thank the security researchers and community members who help keep Basanos secure.