Thank you for helping keep SmolVM secure.
SmolVM is licensed under the Apache License 2.0. See LICENSE.
This security policy is provided on a best-effort basis and is for process clarity only. It does not create any contractual, legal, or other binding obligation on maintainers. In particular, this policy does not create:
- any duty to respond within a specific time,
- any duty to fix, backport, or disclose on a specific schedule,
- any warranty, guarantee, SLA, or support commitment,
- any entitlement to payment, bug bounty, or other compensation.
All software and updates remain provided "AS IS", without warranties, as described in Apache-2.0.
SmolVM is currently pre-1.0. Security fixes are prioritized for:
| Version / Branch | Supported |
|---|---|
| Latest release tag | ✅ |
main branch |
✅ (best effort) |
| Older release tags | ❌ |
If you are on an older version, please upgrade before reporting behavior that may already be fixed.
Please do not open public GitHub issues for suspected vulnerabilities.
Use GitHub's private vulnerability reporting flow:
- Private report: https://github.com/CelestoAI/SmolVM/security/advisories/new
If that link is unavailable, open a minimal issue asking maintainers for a private contact channel (without sensitive details).
Please include as much of the following as possible:
- A clear description of the vulnerability and impact
- Affected version/commit and host environment (OS, architecture)
- Reproduction steps or proof-of-concept
- Expected vs. actual behavior
- Any suggested mitigation
As a small team, we handle reports as capacity allows. Our non-binding target process is:
- Acknowledge report within 3 business days
- Triage and severity assessment within 7 business days
- Provide periodic updates when possible
Timelines may vary depending on complexity and maintainer availability.
We follow coordinated disclosure where possible:
- Please allow reasonable time for a fix before public disclosure
- We may publish security advisories for confirmed issues
- We are happy to credit reporters (unless anonymous credit is requested)
This policy covers vulnerabilities in this repository's code and release artifacts.
Out-of-scope (unless caused by SmolVM code):
- Vulnerabilities in third-party dependencies/upstream projects
- Host misconfiguration outside documented SmolVM setup
- Security findings without a realistic exploit path or impact