We release patches for security vulnerabilities for the latest stable version only.
| Version | Supported |
|---|---|
| latest | ✅ Yes |
| < latest | ❌ No |
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, use one of the following channels:
Use the GitHub Security Advisory
feature to report the vulnerability privately.
We will acknowledge it within 3 business days and aim to release a fix within 14 days
for critical issues.
Send a detailed report to the maintainers at [email protected].
Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement within 3 business days.
- Triage — we assess severity using CVSS v3.
- Fix — developed on a private branch.
- Coordinated Disclosure — we'll notify you before the public release.
- CVE — we will request a CVE ID for valid, critical vulnerabilities.
- Credit — reporters are credited in the release notes (unless they prefer anonymity).
This policy applies to the ktestify-core library and its direct dependencies.
Vulnerabilities in transitive dependencies should be reported upstream.