We provide security updates for the latest stable release of each repository. Older versions are not guaranteed to receive patches.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Best effort |
| Older versions | No |
Please do not report security vulnerabilities through public GitHub Issues.
To report a vulnerability, email us at: security@raintree.technology
Include as much detail as possible:
- Affected repository and version
- Description of the vulnerability
- Steps to reproduce or proof-of-concept
- Potential impact assessment
- Any suggested mitigations
- Acknowledgment: within 48 hours
- Initial assessment: within 5 business days
- Resolution or mitigation: depends on severity — critical issues are prioritized
We follow responsible disclosure. Once a fix is available, we will release a patched version, publish a security advisory on GitHub, and credit the reporter (unless they prefer anonymity). We ask that you do not publicly disclose the issue until a fix has been released.
In scope: remote code execution, authentication bypass, data exposure, dependency vulnerabilities with active exploits, supply chain risks in published packages.
Out of scope: theoretical vulnerabilities without a practical exploit path, social engineering, or issues in third-party infrastructure we do not control.