Thanks for helping keep this project and its users safe! 💙

We generally support security fixes on:

• the main branch (next release), and
• the latest published PyPI release.

Older versions may receive fixes at the maintainers’ discretion.

Please do not open public issues for security vulnerabilities.
Instead, use GitHub’s private security advisories:

➡️ Report privately: https://github.com/kstaniek/caneth/security/advisories/new

When reporting, please include:

• A clear description of the issue and impact.
• Steps to reproduce, a minimal PoC if possible.
• Affected version(s), Python version, and OS details.
• Any suggested mitigations or patches (optional but appreciated).

If you can’t use GitHub advisories for some reason, you may alternatively reach out via a direct GitHub message to @kstaniek.

1. We will acknowledge your report within 3 business days.
2. We will investigate and work on a fix; timelines depend on severity/complexity.
3. We will coordinate a coordinated disclosure, publishing a patched release and an advisory.
4. We’ll credit reporters in release notes/advisory (unless you prefer to remain anonymous).

• Please test only against your own environments and data.
• Avoid actions that could degrade service for other users (no automated scanning against third-party systems).
• Denial-of-service and social engineering reports are out of scope unless a concrete, reproducible exploit affecting this project is demonstrated.

We appreciate responsible disclosure and the time you spend helping improve the project. 🙏