| Version | Supported | Notes |
|---|---|---|
| 0.1.x | ✅ | Current release |
Do not report security vulnerabilities through public issues. Use one of these channels:
- GitHub Private Vulnerability Reporting (preferred): https://github.com/skyoo2003/bit-axon/security/advisories/new
- Email: Contact the maintainer directly via GitHub (see SUPPORT.md)
This policy covers:
- The Bit-Axon Python package (
src/bit_axon/) - CLI tools (
bit-axoncommand) - Documentation and build infrastructure
- GitHub Actions workflows
This policy does not cover:
- Vulnerabilities in upstream dependencies (report to the respective project)
- Issues specific to Apple MLX framework (report to apple/mlx)
- General usage questions or non-security bugs (use Issues)
| Phase | Timeframe | What to Expect |
|---|---|---|
| Acknowledgment | Within 48 hours | Confirmation that the report was received |
| Initial Assessment | Within 7 days | Severity classification and triage |
| Fix Communication | Within 14 days | Planned fix timeline or workaround |
| Fix Delivery | Varies by severity | Patch release or advisory publication |
| Severity | Example | Timeline |
|---|---|---|
| Critical | Remote code execution, auth bypass | 7 days |
| High | Privilege escalation, data exposure | 14 days |
| Medium | Information disclosure, DoS | 30 days |
| Low | Minor info leak, best practice | Next release |
- Dependency Scanning: Dependabot runs weekly for known CVEs
- Secret Scanning: GitHub secret scanning and push protection enabled
- Supply Chain: All dependencies pinned with minimum version constraints in
pyproject.toml - CI Isolation: GitHub Actions run with minimal permissions (
contents: readfor CI) - PyPI Publishing: Uses Trusted Publishers with OIDC, no stored tokens