One sentence: This policy describes supported versions and how to report vulnerabilities.
Last updated: 2026-01-07
- Audience: Security researchers, users, and maintainers.
- Scope: Supported versions, reporting process, and security automation.
- Non-scope: General support requests (see
SUPPORT.md). - Doc owner: jscraik.
- Review cadence: Each release.
- Required approvals: 1 maintainer.
Only the latest minor release is supported.
If you discover a security issue, please report it privately:
- Email: jscraik@brainwav.io
- Please include steps to reproduce, impact, and any proposed fixes.
We aim to acknowledge reports within 7 days.
This project is a CLI client that talks to the public arXiv API over HTTPS. It does not store credentials or user data beyond local output files created explicitly by the user.
The repo uses automated security checks on pull requests and scheduled runs:
- CodeQL for static analysis.
- Semgrep for source scanning.
- npm audit for dependency vulnerabilities.
- Dependabot for dependency update PRs.
- Gitleaks for secret scanning in git history and changes.
- Dependencies are managed with npm only.
package-lock.jsonmust be updated via npm and committed with dependency changes.- Audit failures should be resolved by upgrading dependencies or opening a tracking issue.
- Assumes the listed contact email is monitored and responses happen within stated timelines.
- Assumes security tooling remains enabled in CI and scheduled workflows.
- Out-of-date supported version guidance can mislead reporters; review each release.
- Supported version policy is current.
- Reporting contact and response timeline are accurate.
- Security automation reflects actual CI tooling.
- Risks and assumptions are explicit.
- Ownership and cadence are stated.
- Standards mapping: CommonMark structure, security/privacy guidance, accessibility (clear headings).
- Automated checks: vale run on 2026-01-07 (0 errors, 0 warnings).
- Review artifact: Self-review completed on 2026-01-07.
- Deviations: None.