Please report security vulnerabilities privately.
- Do not open a public issue.
- Use GitHub Private Vulnerability Reporting in the affected repository (
Securitytab). - If needed, contact us at security@sqloot.dev.
Please include:
- Affected repository/package and version/commit
- Reproduction steps or PoC
- Impact assessment
- Suggested mitigation (optional)
- Acknowledgement: within 48 hours
- Initial triage: within 7 days
- Fix timeline:
- Critical: as soon as possible
- High: target within 30 days
- Medium: target within 90 days
This policy applies to all repositories under the SQLoot organization.
| Version line | Supported |
|---|---|
| Current main/default branch | ✅ |
| Older versions | ❌ |
- Never commit secrets or credentials
- Minimize sensitive logging
- Keep dependencies updated
- Use least-privilege tokens and permissions
- Enable 2FA on your GitHub account
We appreciate responsible disclosure and can credit reporters in release notes, unless anonymity is requested.