Skip to content

Security: bernardladenthin/srcmorph

SECURITY.md

Security Policy

Supported versions

The project has not yet cut a versioned release. Security fixes are applied directly on main against the current development snapshot.

Version Supported
0.1.0-SNAPSHOT (development, unreleased) Security fixes applied on main

Note: once the first SemVer release is cut, this table will be updated to list the supported release line(s).


Reporting a vulnerability — primary channel

Please do not report security vulnerabilities through public GitHub issues.

Use GitHub's built-in private vulnerability reporting mechanism:

https://github.com/bernardladenthin/srcmorph/security/advisories/new

This creates a private advisory that only the maintainers can see.


Reporting a vulnerability — fallback

If GitHub Private Vulnerability Reporting is unavailable, contact the maintainer directly:

This address is the same maintainer contact published in CODE_OF_CONDUCT.md.


Response SLA

We aim to:

  • Acknowledge vulnerability reports within 14 days of receipt.
  • Provide a remediation timeline within 30 days of acknowledgement.

Coordinated disclosure

This project follows coordinated disclosure with a 90-day embargo by default:

  1. The reporter submits the vulnerability privately (see above).
  2. The maintainer acknowledges receipt and investigates.
  3. A fix is developed and tested privately.
  4. A patched release is published.
  5. A public security advisory is created after the fix is released.

Please do not disclose the vulnerability publicly until a fix has been released or until you and the maintainer have agreed on a disclosure date. If 90 days elapse without a remediation plan, the reporter may publish at their discretion after notifying the maintainer.


Scope

In scope:

  • Plugin source under src/main/java/net/ladenthin/maven/llamacpp/aiindex/**.
  • Plugin Maven configuration (pom.xml) and CI workflow definitions in .github/workflows/**.

Out of scope (report upstream):


Security update notifications

Security fixes are published through:

  • GitHub Security Advisories on this repository (subscribe via the Watch → Custom → Security alerts setting).
  • The CHANGELOG.md ### Security entry for the affected release.
  • The GitHub Releases page, which is the canonical announcement channel.

There aren't any published security advisories