Skip to content

Security: KyleClouthier/bitrep

Security

SECURITY.md

Security Policy

Supported versions

bitrep is pre-1.0 and follows a rolling release model. Security fixes are applied to the latest published release on the current 0.x line; older 0.x releases are not maintained. Please upgrade to the newest release before reporting.

Version Supported
latest 0.x
older 0.x

Reporting a vulnerability

Please report suspected vulnerabilities privately — do not open a public issue, pull request, or discussion for a security report.

  • Preferred: email kyle@simgen.dev with the details below.
  • If you prefer GitHub's coordinated flow, use "Report a vulnerability" under the repository's Security tab (private advisory).

Include, where possible:

  • affected version / commit and platform (target triple, --features),
  • a description of the issue and its impact,
  • a minimal reproduction (input values, code snippet, or failing vector),
  • any known mitigation.

Disclosure expectations

  • We aim to acknowledge a report within 5 business days.
  • We will work with you on a fix and a coordinated disclosure timeline, targeting a resolution within 90 days of acknowledgement.
  • Please give us a reasonable opportunity to release a fix before any public disclosure. We are happy to credit reporters who wish to be named.

Because bitrep is a deterministic numerical library, the highest-value reports are ones that break a correctness or reproducibility guarantee (e.g. a platform-dependent result, a golden/conformance-vector mismatch, or a decoder that accepts malformed input), in addition to conventional memory-safety or supply-chain issues.

There aren't any published security advisories