If you discover a security vulnerability in SQLMesh, please report it through GitHub Security Advisories. Do not file a public issue for security vulnerabilities.

We will acknowledge receipt of your report within 72 hours and aim to provide an initial assessment within one week.

We follow a coordinated disclosure process. We will work with you to understand and address the issue before any public disclosure.

Security fixes are generally applied to the latest release. Critical vulnerabilities may be backported to recent prior releases at the discretion of the maintainers.