Security Policy
Supported Versions
We actively support the current 0.1.x beta release series with security updates.
0.1.x
✅
< 0.1
❌
Reporting a Vulnerability
We take the security of Mermin seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Reporting Process
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them by opening a GitHub Security Advisory.
Please include the following information in your report:
Type of vulnerability (e.g., privilege escalation, information disclosure, eBPF verifier bypass, denial of service, etc.)
Full paths of source file(s) related to the manifestation of the vulnerability
The location of the affected source code (tag/branch/commit or direct URL)
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue
Proof-of-concept or exploit code (if possible)
Impact of the issue, including how an attacker might exploit it
This information will help us triage your report more quickly.
What to Expect
We will acknowledge receipt of your vulnerability report within 5 business days.
We will send a more detailed response within 10 business days indicating the next steps in handling your report.
We will keep you informed about the progress toward a fix and full announcement.
We may ask for additional information or guidance.
Disclosure Policy
We follow coordinated disclosure:
We will work with you to understand and resolve the issue quickly.
We request that you give us a reasonable amount of time to address the vulnerability before public disclosure.
Once the vulnerability is patched, we will publish a security advisory on GitHub.
We will credit you in the advisory unless you prefer to remain anonymous.
Thank you for helping keep Mermin and the community safe!
Last updated