Engram is pre-1.0. Until v0.1.0 ships, only main is supported for security fixes. After v0.1.0, the most recent minor release receives security patches.

Please report security issues privately to vedant@vrin.cloud. Do not open a public GitHub issue for a vulnerability.

Include in your report:

• A description of the issue and its impact.
• Steps to reproduce, including a minimal proof of concept if possible.
• The Engram version, Python version, and any relevant configuration.
• Whether you wish to be credited in the advisory.

1. We acknowledge receipt within 3 business days.
2. We confirm the issue (or explain why it is not a vulnerability) within 10 business days.
3. We aim to ship a fix within 90 days of confirmation, coordinated with the reporter.
4. After the fix ships, we publish a GitHub security advisory and credit the reporter unless they request otherwise.

Severe or actively exploited issues will be patched on an accelerated timeline.