quartz is experimental and solo-maintained. Security reports are reviewed on a best-effort basis, without a formal response SLA.
Please do not open a public issue for suspected vulnerabilities. Report privately through GitHub's private vulnerability reporting for this repository. If that is not enabled, repository visibility is not ready for public release; open only a minimal public issue asking for a private reporting path, without vulnerability details.
Include:
- affected version or commit
- reproduction steps
- impact
- relevant logs or proof of concept
Runnable CLIs, plugins, package installation paths, generated release assets, and documented local workflows are in scope. Third-party services, user-provided credentials, and local machine configuration outside this repository are out of scope unless this project directly mishandles them.