This security policy applies across repositories in the TuringLang organization unless a repository defines its own policy.

Please report suspected vulnerabilities privately.

• Use GitHub private vulnerability reporting in the affected repository when available.
• If private reporting is not available, contact repository maintainers directly.
• Do not open public issues for unpatched vulnerabilities.

When possible, include:

• Affected repository, branch, and version
• Reproduction steps or proof of concept
• Expected impact and attack preconditions
• Any mitigation ideas you have already tested

Reports may use AI or other tools for drafting or analysis, but please verify the issue yourself before reporting. Do not submit speculative or unreviewed tool-generated vulnerability reports.

After receiving a report, maintainers will:

• Acknowledge receipt as soon as practical
• Assess severity and scope
• Work on a fix and coordinated disclosure
• Credit the reporter when appropriate (if requested)

Response and remediation timelines depend on severity, complexity, and maintainer availability.

Please allow maintainers reasonable time to investigate and release a fix before public disclosure.

If you are unsure whether something is security-sensitive, report it privately first.

Support windows vary by repository. Unless stated otherwise in a repository's own policy, only actively maintained branches and current releases should be assumed to receive security fixes.