Council is pre-1.0 software. Security fixes are provided only for the latest
0.4.x release line.
| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| < 0.4 | ❌ |
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions. When reporting, do not include secrets, API tokens, credentials, or full file paths in any public issue or diagnostic output.
Instead, report vulnerabilities privately using GitHub's built-in private vulnerability reporting:
- Go to the Security tab of this repository.
- Click Report a vulnerability to open a private Security Advisory.
- Provide a clear description of the issue, including:
- The affected component(s) and version.
- Steps to reproduce or a proof of concept.
- The potential impact and any suggested remediation.
This routes the report directly to the maintainers through a private GitHub Security Advisory. No email or PGP key is required.
This is a maintainer-driven open-source project, so responses are made on a best-effort basis:
- We aim to acknowledge new reports within a few business days.
- We will keep you informed of progress as we triage, confirm, and address the issue.
- Once a fix is available, we will coordinate disclosure through the Security Advisory and credit reporters who wish to be acknowledged.
Thank you for helping keep Council and its users safe.