We release patches for security vulnerabilities for the following versions:

As the project matures, this table will be updated to reflect actively maintained release lines.

We take security bugs seriously and appreciate your efforts to responsibly disclose them.

Contact: kiren@fantasymetals.com

Please report security vulnerabilities by emailing the address above. Include the following information to help us triage and resolve the issue quickly:

• Description of the vulnerability and its potential impact.
• Steps to reproduce the issue, including any proof-of-concept code or configurations.
• Affected versions, if known.
• Suggested fix or mitigation, if you have one.

We are committed to timely and transparent communication throughout the reporting process:

If timelines need to be adjusted (e.g., due to complexity or dependency coordination), we will keep you informed and provide updated estimates.

• Do not publicly disclose the vulnerability before a fix has been released, unless we have explicitly agreed otherwise.
• We practice coordinated disclosure: once a patch is available, we will publish a security advisory and credit the reporter (see Attribution below).
• If we are unable to reproduce the issue or determine it is not a security vulnerability, we will explain our reasoning and work with you to reach mutual understanding.
• We request that reporters allow 90 days from initial report before any independent public disclosure, in accordance with industry-standard responsible disclosure practices.

We value and respect the security research community. Reporters who responsibly disclose vulnerabilities will be:

• Credited in the corresponding security advisory and release notes (unless they prefer to remain anonymous).
• Listed in a SECURITY.md hall of fame or project-level acknowledgments section as the project grows.

Thank you for helping keep hermes-mastra and its users safe.