| Version | Supported |
|---|---|
| 0.6.x | Yes |
| < 0.6 | No |
Only the latest release receives security fixes. We recommend always running the most recent version.
Do not open a public GitHub issue for security vulnerabilities.
Instead, use GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill in the advisory form
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Impact assessment (what an attacker could do)
- Any suggested fix, if you have one
- Acknowledgment -- within 3 business days
- Initial assessment -- within 7 business days
- Fix timeline -- depends on severity, but we aim for 30 days for critical issues
We will coordinate with you on disclosure timing. We ask that you do not publicly disclose the vulnerability until a fix is released.
The following are not considered security vulnerabilities:
- Spec compilation accuracy or output differences -- use a bug report
- Denial of service via extremely large input files (LAP is a local CLI tool)
- Issues in dependencies -- report those upstream, but let us know if they affect LAP
We appreciate responsible disclosure and will credit reporters in the release notes (unless you prefer to remain anonymous).