The Loom team currently supports the latest stable release of the Loom compiler and standard library. Older versions may receive security patches at the discretion of the Loom Steering Council.
| Version | Status |
|---|---|
| latest | ✅ Supported |
| dev/nightly | |
| older releases | ❌ Unsupported unless LTS declared |
If you discover a security vulnerability in the Loom language, compiler, or any official tool or repository, please report it privately and responsibly.
Please email:
Include the following:
- Description of the vulnerability
- Reproduction steps (if applicable)
- Affected components and versions
- Impact and severity (data corruption, RCE, etc.)
- Your name or handle (optional)
We aim to respond within 48 hours and provide regular updates until the issue is resolved.
- Initial Triage: Confirm the report and evaluate its severity.
- Private Fix Development: The Loom core team develops and tests a fix.
- Coordinated Disclosure: If applicable, we work with downstream tools or users to patch affected systems.
- Public Release:
- Release notes will acknowledge the issue (and credit the reporter unless anonymity is requested).
- A CVE may be requested for serious vulnerabilities.
- A patched version will be published along with upgrade instructions.
This policy applies to:
- Loom compiler and runtime
- Standard library modules
- Official language tools and formatters
- Any critical infrastructure in the Loom Foundation GitHub organization
This policy does not cover:
- Third-party tools or libraries
- User-written Loom programs with poor practices
- Outdated or forked versions not maintained by the Loom team
- Always use the latest stable Loom release.
- Avoid executing untrusted
.lmor.loomcode. - Consider sandboxing Loom applications if working with external input.
The Loom Language Team greatly appreciates the efforts of ethical hackers and security researchers. Responsible disclosures help keep our community safe.
Thank you for helping keep Loom secure.
— The Loom Steering Council