We take security seriously. This section outlines which versions of our project are currently supported with security updates.
| Version | Supported |
|---|---|
| 2.1.x | ✅ |
| 2.0.x | ✅ |
| < 2.0 | ❌ |
If you discover a security vulnerability in this project, please report it responsibly. We appreciate your help in keeping our users safe.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
- Email: krishna@krishnabajpai.me
- Subject: [SECURITY] Vulnerability Report - SubMicro Execution Engine
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: What an attacker could achieve by exploiting this vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: If possible, include a proof of concept
- Environment: Your testing environment (OS, versions, etc.)
- Suggested Fix: If you have suggestions for fixing the issue
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Investigation: We will investigate the report and determine its validity
- Updates: We will provide regular updates on our progress (at least weekly)
- Fix Development: If valid, we will develop and test a fix
- Disclosure: We will coordinate disclosure with you
- We follow responsible disclosure practices
- We will credit you (if desired) in our security advisory
- We aim to release fixes as quickly as possible
- We will not disclose vulnerability details until a fix is available
This security policy applies to:
- The SubMicro Execution Engine core codebase
- Official documentation
- Official build scripts and tooling
This policy does not apply to:
- Third-party dependencies (report to the respective projects)
- Configuration issues in user environments
- Denial of service attacks that require unrealistic resource usage
- Issues in development/unreleased code
We consider security research conducted in accordance with this policy to be authorized research. We will not pursue legal action against researchers who follow this policy.
Security updates will be released as patch versions with the following naming convention:
MAJOR.MINOR.PATCHwhere PATCH indicates a security fix
Security advisories will be published on:
- GitHub Security Advisories
- Our changelog and release notes
For security-related questions or concerns:
- Email: krishna@krishnabajpai.me
- PGP Key: Available upon request
Thank you for helping keep the SubMicro Execution Engine secure!