This document explains which versions of JanMat we support and how to report security issues.

Only the current release (1.0.0) receives security fixes and guidance. Older, pre-release code is not supported.

If you believe you have found a security vulnerability, please report it privately to the project maintainer:

• Email: karanyyede@gmail.com
• Subject: [JanMat Security] Brief summary of the issue
• Include: affected version, clear steps to reproduce, minimal proof‑of‑concept (PoC), expected vs actual behavior, and any suggested mitigation/workaround. Attach logs or screenshots if helpful.

Do not open a public GitHub issue for vulnerabilities — use the private email above.

• Acknowledgement: within 3 business days.
• Initial triage: within 7 calendar days (priority level assigned).
• Fix timeline: depends on severity and complexity. We will provide regular status updates (at least weekly) until resolved.
• Patch delivery: security fixes are released as a tagged GitHub release and documented in CHANGELOG.md. When feasible, patches are backported to the supported release.

We request coordinated disclosure:

• Please do not publicly disclose the vulnerability until a fix is released or we agree on a disclosure timeline.
• If you require faster action or need a CVE assigned, indicate that in your initial report.

If you need an encrypted report, reply asking for the maintainer's PGP key and we will provide it. Otherwise use the email above.

There is currently no formal bug bounty program. Reports are welcomed and credited in release notes when appropriate.

Thank you for helping keep JanMat secure. Your responsible disclosure helps protect our users and the community.