If you discover a security vulnerability in any Punt Labs project, please report it responsibly.
Do not open a public issue. Instead, email hello@punt-labs.com with:
- A description of the vulnerability
- Steps to reproduce
- The affected project and version
- Any potential impact assessment
You will receive an acknowledgment within 48 hours and a detailed response within 7 days indicating next steps.
Security updates are applied to the latest release of each project. We do not backport fixes to older versions.
All Punt Labs repositories enable:
- Dependabot alerts for vulnerable dependencies
- Dependabot security updates for automatic patching
- Secret scanning with push protection to prevent credential leaks
- Branch protection requiring CI checks before merge