We release patches for security vulnerabilities. Which versions are eligible receiving such patches depends on the CVSS v3.0 Rating:

Please report (suspected) security vulnerabilities to [email protected]. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

• All dependencies are regularly audited using cargo audit
• Automated security scanning runs weekly and on every pull request
• License compliance is enforced through cargo deny
• Supply chain security is monitored through dependency verification

• All releases are built in isolated GitHub Actions environments
• Release binaries include SHA256 checksums for integrity verification
• Cross-compilation targets are verified for consistency
• Build artifacts are created reproducibly where possible

• Rust's memory safety features prevent common security vulnerabilities
• All code goes through review before being merged
• Automated linting and formatting enforce consistent code quality
• Security-focused clippy lints are enabled and enforced

• Dependencies are automatically updated by Dependabot
• Major version updates require manual review
• Only well-maintained crates from trusted sources are used
• Transitive dependencies are regularly audited

• State transitions are validated before execution
• Error messages avoid leaking sensitive state information
• State machine configurations are type-safe at compile time
• Guard functions are pure and side-effect free

1. Receipt: Security reports are acknowledged within 48 hours
2. Assessment: Vulnerability is assessed and classified within 5 days
3. Development: Patch is developed and tested
4. Coordination: If needed, we coordinate with other affected parties
5. Release: Security patch is released with appropriate advisories
6. Disclosure: Public disclosure occurs after patch is available

• Primary: Glen Baker ([email protected])
• Repository: https://github.com/iepathos/mindset
• Security Advisory: GitHub Security Advisories

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged here (with permission).

This security policy is subject to change. Please check back regularly for updates.