Security fixes are applied on the actively maintained main branch.
Do not open a public issue for undisclosed vulnerabilities.
Use one of these private channels:
- GitHub private vulnerability reporting, if enabled for the repository
- direct contact with the repository maintainers through GitHub
Please include:
- affected component
- reproduction details
- impact assessment
- any known mitigations
We will review reports as quickly as possible and coordinate remediation before public disclosure when appropriate.
This policy covers:
- public gRPC and async contracts
- runtime integrations owned by this repo
- server bootstrap and shipped adapters
Product-specific integrations outside this repo should be reported to the owning product as well when relevant.