The Cloth team currently supports the latest stable release of the Cloth compiler and standard library. Older versions may receive security patches at the discretion of the Cloth Steering Council.
| Version | Status |
|---|---|
| latest | ✅ Supported |
| dev/nightly | |
| older releases | ❌ Unsupported unless LTS declared |
If you discover a security vulnerability in the Cloth language, compiler, or any official tool or repository, please report it privately and responsibly.
Please email:
Include the following:
- Description of the vulnerability
- Reproduction steps (if applicable)
- Affected components and versions
- Impact and severity (data corruption, RCE, etc.)
- Your name or handle (optional)
We aim to respond within 48 hours and provide regular updates until the issue is resolved.
- Initial Triage: Confirm the report and evaluate its severity.
- Private Fix Development: The Cloth core team develops and tests a fix.
- Coordinated Disclosure: If applicable, we work with downstream tools or users to patch affected systems.
- Public Release:
- Release notes will acknowledge the issue (and credit the reporter unless anonymity is requested).
- A CVE may be requested for serious vulnerabilities.
- A patched version will be published along with upgrade instructions.
This policy applies to:
- Cloth compiler and runtime
- Standard library modules
- Official language tools and formatters
- Any critical infrastructure in the Cloth Foundation GitHub organization
This policy does not cover:
- Third-party tools or libraries
- User-written Cloth programs with poor practices
- Outdated or forked versions not maintained by the Cloth team
- Always use the latest stable Cloth release.
- Avoid executing untrusted
.co,.cloth, or.clibcode. - Consider sandboxing Cloth applications if working with external input.
The Cloth Foundation greatly appreciates the efforts of ethical hackers and security researchers. Responsible disclosures help keep our community safe.
Thank you for helping keep Cloth secure.
— The Cloth Steering Council