Skip to content

Security: Jacobcdsmith/CONSIM

SECURITY.md

Security Policy

This document explains how we maintain the security of the project and how you can help. Read it carefully before reporting vulnerabilities or relying on unsupported releases.


Supported Versions

Release Branch Security Updates?
5.1.x ✅ Actively maintained
5.0.x ❌ End‑of‑life
4.0.x ✅ Long‑term support
< 4.0 ❌ No longer supported

Only the branches marked with a green check receive security patches. Running unsupported code is at your own risk.


Reporting a Vulnerability

  1. Contact us privately – Email JACOBCSMITHD@GMAIL.COM with the subject line Vulnerability Report: <concise summary>.
  2. Encrypt your message – Our PGP public key is located at /SECURITY.pub.
  3. Initial response – We acknowledge reports within 48 hours.
  4. Status updates – You will receive progress reports at least every 7 days until a fix or mitigation is released.
  5. Coordinated disclosure – Please keep the details confidential for 90 days or until a patch is published, whichever comes first.
  6. Recognition and rewards – Accepted reports are listed in HALL_OF_FAME.md. Bounties are awarded based on severity and technical depth.

If a report is not accepted, we will explain the decision.


Responsible Testing Guidelines

  • Proof‑of‑concept only – Demonstrate the issue without harming data or systems.
  • No production impact – Do not test against live infrastructure unless we explicitly approve it.
  • Avoid social engineering – Focus on technical flaws, not people or physical facilities.

Thank you for helping us keep this project secure.

There aren't any published security advisories