| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| < 2.0 | ❌ |
This project runs in production environments, and public disclosure of vulnerabilities before a fix is available could harm our users.
Report security vulnerabilities via one of these private channels:
- GitHub Security Advisories (preferred): Use the "Report a vulnerability" button in the Security tab of this repository
- Email: david@frontegg.com (include "enclave-vm" in subject)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Status updates: At least every 14 days
- Resolution target: Critical issues within 30 days
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Act in good faith
- Avoid privacy violations and data destruction
- Do not exploit vulnerabilities beyond proof-of-concept
- Report findings promptly and privately
We follow coordinated disclosure. We will publicly acknowledge your contribution (unless you prefer anonymity) after a fix is released.
Key points:
- Use GitHub Security Advisories - built-in private reporting, no email exposure
- Clear "do not" statement - explicitly tell people not to use public issues
- Response timeline commitments - sets expectations
- Safe harbor - encourages researchers to report without fear of legal action
- Update the version table - yours shows 5.x but your repo is at 2.x