Skip to content

Security Policy

Supported Versions

Coffer is pre-v1; only main is supported. Pinned older versions receive no security backports.

Reporting a Vulnerability

Do not open a public GitHub issue for security findings.

Two private channels are available:

  1. GitHub Private Vulnerability Reporting (preferred): open a report at https://github.com/wyx-sg/Coffer/security/advisories/new. Authenticated users see a "Report a vulnerability" button on the Security tab.
  2. Email: hutwyx@gmail.com. Encrypt with the maintainer's public PGP key if you have it; otherwise plain text is acceptable for non-critical findings.

What to Include

  • Affected commit or version.
  • Reproduction steps (minimal repo, log excerpt).
  • Impact assessment.
  • Suggested mitigation, if any.

Response

StageTarget
AcknowledgementWithin 72 hours
Triage / first responseWithin 7 days
Fix / disclosure timelineAgreed case-by-case; typical 30–90 days

Coffer is single-maintainer pre-v1 — response time is best-effort, not SLA-guaranteed.