| Version | Supported |
|---|---|
| 1.0.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability in Lattice, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email security@latticeruntime.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 5 business days
- Fix or mitigation: depends on severity, targeting 30 days for critical issues
The following are in scope:
- Lattice desktop application (Electron)
- Built-in MCP server
- Agent orchestration and sandboxing
- SSH remote runtime connections
- Auto-updater and code signing
Out of scope:
- Third-party AI provider APIs (report to the provider directly)
- Self-hosted infrastructure not maintained by Lattice
We follow coordinated disclosure. We will credit reporters in the release notes unless anonymity is requested.