Security Policy
Supported Versions
Coffer is pre-v1; only main is supported. Pinned older versions receive no security backports.
Reporting a Vulnerability
Do not open a public GitHub issue for security findings.
Two private channels are available:
- GitHub Private Vulnerability Reporting (preferred): open a report at https://github.com/wyx-sg/Coffer/security/advisories/new. Authenticated users see a "Report a vulnerability" button on the Security tab.
- Email: hutwyx@gmail.com. Encrypt with the maintainer's public PGP key if you have it; otherwise plain text is acceptable for non-critical findings.
What to Include
- Affected commit or version.
- Reproduction steps (minimal repo, log excerpt).
- Impact assessment.
- Suggested mitigation, if any.
Response
| Stage | Target |
|---|---|
| Acknowledgement | Within 72 hours |
| Triage / first response | Within 7 days |
| Fix / disclosure timeline | Agreed case-by-case; typical 30–90 days |
Coffer is single-maintainer pre-v1 — response time is best-effort, not SLA-guaranteed.