Until the first public release is tagged, the active development branch is considered the supported line for coordinated vulnerability disclosure.
After the public release process starts, supported versions and patch windows should be listed here explicitly.
Please do not report security vulnerabilities in public GitHub issues.
Preferred disclosure channel:
- Once the repository is public, use GitHub Private Vulnerability Reporting via the repository's
Securitytab if it is enabled.
Fallback channel:
- If private vulnerability reporting is not yet available, contact the maintainer privately before disclosure using the contact details published on the repository's public home/profile.
When reporting, include:
- Affected version / commit / branch
- A clear description of the issue and its impact
- Reproduction steps or a minimal proof of concept
- Any suggested mitigation, if you have one
The project aims to:
- acknowledge receipt within 3 business days
- provide an initial triage/update within 7 business days
- coordinate a fix and disclosure timeline based on severity and exploitability
Please allow time for investigation and remediation before public disclosure. The project will work with reporters to validate the issue, determine severity, prepare a fix, and agree on a reasonable disclosure date.
This policy applies to the corvee CLI, repository automation, embedded assets, and documentation-controlled workflows in this repository.