Security Policy
How to report security vulnerabilities in Reinhardt.
Security Policy
Reporting a Vulnerability
Do not create public GitHub issues for security vulnerabilities.
Primary: GitHub Security Advisories (Preferred)
Report a vulnerability via GitHub Security Advisories
This ensures your report is kept confidential until a fix is released.
For questions or if GitHub Advisories is unavailable:
Response Timeline
| Severity | Acknowledgment | Patch Target |
|---|---|---|
| Critical | 48 hours | 30 days |
| High | 48 hours | 30 days |
| Medium | 7 days | 90 days |
| Low | 30 days | Best effort |
Supported Versions
Only the latest release on crates.io receives security patches.
Disclosure Policy
We follow coordinated disclosure:
- You report the vulnerability privately
- We acknowledge within 48 hours
- We develop and test a fix
- We release the fix and publish a security advisory
- You may publicly disclose after the fix is released
Credits
We publicly credit reporters in the security advisory unless anonymity is requested.
Thank you for helping keep Reinhardt secure.