We take the security of this project seriously and appreciate responsible disclosures.
We generally support the latest published version. Older versions may not receive security fixes.
| Version | Supported |
|---|---|
| latest | yes |
| < latest | no |
Please do NOT open public GitHub issues for security vulnerabilities.
- Use GitHub Security Advisories to privately report issues: https://github.com/heripo-lab/heripo-engine/security/advisories/new
- Alternatively, you can reach out via GitHub Discussions if you're unsure whether a finding is security-related.
Provide as much detail as possible:
- Affected version(s)
- Environment (Node.js version, OS)
- Reproduction steps or proof-of-concept
- Impact assessment (what can an attacker achieve)
- We will acknowledge receipt within 3 business days.
- We will investigate and provide an initial assessment within 7 business days.
- We will work with you to validate, remediate, and coordinate a disclosure timeline.
- We prefer coordinated disclosure; we will publish an advisory and release a patched version before public disclosure whenever possible.
Thank you for helping keep the community safe.