| Version | Supported |
|---|---|
| Latest minor release series | Yes |
| Previous minor release series | Security fixes only |
| Older versions | No |
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub Security Advisories to report vulnerabilities privately. This ensures the issue is handled confidentially until a fix is available.
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Vulnerabilities in the C++ runtime
- Issues in Python bindings (e.g., unsafe memory access across the C++/Python boundary)
- Build or CI infrastructure security issues
- Dependency vulnerabilities that affect PyPTO
- General bugs — use GitHub Issues
- Feature requests — use GitHub Issues
- Questions about usage — use GitHub Discussions
| Action | Timeframe |
|---|---|
| Acknowledgment | Within 3 business days |
| Status update | Within 10 business days |
| Fix development | Depends on severity and complexity |
PyPTO follows coordinated disclosure:
- Vulnerability is reported privately via GitHub Security Advisories
- The team acknowledges and triages the report
- A fix is developed privately
- A security advisory is published alongside the fix release
- Credit is given to the reporter (unless they prefer anonymity)