The following versions of Veld Framework are currently supported with security updates:
| Version | Supported | Status |
|---|---|---|
| 1.0.x | ✅ Yes | Active development |
| < 1.0.0 | ❌ No | Unsupported |
We recommend that all users upgrade to the latest stable version (1.0.x) to receive security patches and benefit from the framework's latest improvements.
We take the security of Veld Framework seriously. If you believe you have discovered a security vulnerability, please follow responsible disclosure practices to protect our users and the ecosystem.
- ❌ Open a public issue on GitHub
- ❌ Disclose the vulnerability in pull requests or discussions
- ❌ Post about the vulnerability on social media
- ❌ Share details with third parties before coordinated disclosure
- ✅ Email your findings to
security@veld-framework.org - ✅ Include a detailed description of the vulnerability
- ✅ Provide steps to reproduce the issue
- ✅ Mention any known workarounds
- ✅ Allow us time to investigate and develop a fix before public disclosure
We are committed to responding to security reports in a timely manner:
| Timeline | Action |
|---|---|
| 24-48 hours | Initial acknowledgment of your report |
| 7 days | Initial assessment and classification |
| 30 days | Patch development and testing (for critical issues) |
| 90 days | Public disclosure (standard embargo period) |
If you have not received a response within 48 hours of your initial report, please verify your email was sent correctly and allow additional time for investigation.
Veld Framework follows a responsible disclosure process:
- Private Report: Security researcher reports vulnerability privately to our security team
- Assessment: We validate the report, assess severity, and assign a CVSS score
- Development: We develop and test the fix without public awareness
- Notification: We notify users of the upcoming security release (minimum 7 days before release)
- Release: We publish the security advisory and patched version on GitHub
- Public Disclosure: Full details are published after users have had reasonable time to upgrade
We classify vulnerabilities using the CVSS (Common Vulnerability Scoring System) 3.1 framework:
| Severity | CVSS Score | Response |
|---|---|---|
| Critical | 9.0 - 10.0 | Patch within 7 days, emergency release |
| High | 7.0 - 8.9 | Patch within 30 days, next scheduled release |
| Medium | 4.0 - 6.9 | Patch within 90 days |
| Low | 0.1 - 3.9 | Patch in next major release |
This security policy applies to:
- ✅ Veld Framework core modules (veld-annotations, veld-runtime, veld-processor, veld-weaver)
- ✅ Maven and Gradle plugins
- ✅ Spring Boot integration (veld-spring-boot-starter)
- ✅ All annotations and API surfaces
- ✅ Generated bytecode and synthetic methods
This policy does NOT apply to:
- ❌ Third-party libraries that Veld depends on
- ❌ User applications built with Veld
- ❌ Infrastructure or CI/CD pipelines
Veld Framework undergoes periodic security reviews. For enterprise users requiring additional assurance, we can facilitate:
- Private security audits by request
- Penetration testing coordination
- Security review reports for compliance purposes
Contact security@veld-framework.org for more information about security audit processes.
We believe in recognizing responsible security researchers who help improve Veld Framework's security:
- 🏆 Your name will be added to our Security Hall of Fame (with your permission)
- 📝 Your contribution will be acknowledged in the security release notes
- 💬 We will keep you informed throughout the fix and disclosure process
For security matters only:
Email: security@veld-framework.org
PGP Key: [Will be added upon request]
For non-security issues, please use GitHub Issues or Discussions.
Last Updated: 2025-12-30 Version: 1.0.3