# Security Policy

## Supported Versions

We actively support the current 0.1.x beta release series with security updates.

| Version | Supported            |
| ------- | -------------------- |
| 0.1.x   | :white\_check\_mark: |
| < 0.1   | :x:                  |

## Reporting a Vulnerability

We take the security of Mermin seriously. If you believe you have found a security vulnerability, please report it to us as described below.

### Reporting Process

**Please do not report security vulnerabilities through public GitHub issues.**

Instead, please report them by opening a [GitHub Security Advisory](https://github.com/elastiflow/mermin/security/advisories/new).

Please include the following information in your report:

* Type of vulnerability (e.g., privilege escalation, information disclosure, eBPF verifier bypass, denial of service, etc.)
* Full paths of source file(s) related to the manifestation of the vulnerability
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

### What to Expect

* We will acknowledge receipt of your vulnerability report within 5 business days.
* We will send a more detailed response within 10 business days indicating the next steps in handling your report.
* We will keep you informed about the progress toward a fix and full announcement.
* We may ask for additional information or guidance.

### Disclosure Policy

We follow coordinated disclosure:

* We will work with you to understand and resolve the issue quickly.
* We request that you give us a reasonable amount of time to address the vulnerability before public disclosure.
* Once the vulnerability is patched, we will publish a security advisory on GitHub.
* We will credit you in the advisory unless you prefer to remain anonymous.

Thank you for helping keep Mermin and the community safe!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mermin.dev/contributor-guide/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.