During alpha development (version 0.x), only the latest version is updated for security.
This support policy will change once Envlang moves into release.
Please disclose vulnerabilities using the GitHub security advisory form (available under the Security tab).
Vulnerability reports made in public spaces (such as Issues or Discussions) WILL be deleted without discussion.
Please include as much information as you can on the vulnerability, especially regarding:
- What the vulnerability could cause,
- Where the vulnerability occurs, and
- Any suggestions on how to solve the vulnerability.
If you wish to be informed about the process regarding your security advisory, please leave a valid contact in the Credits section of the advisory form. Without a valid contact, the below procedure communications cannot take place.
Once I have reviewed the report, I will let you know that I am aware of it. If the same issue has been reported before, I will acknowledge that to your report.
If the report is actionable and detailed enough, I will write a hotfix. Depending on the complexity of the vulnerability, I may contact you at the address from which the original report came to ask further questions.
If you wish to be contacted another way, please indicate so in your advisory. However, please refrain from disclosing detailed personal information in the email (such as phone numbers, or physical addresses).
I will inform you when a hotfix has been released.