This document describes how security issues are reported, handled, and which versions receive fixes.

EL follows semantic versioning pre-1.0 with rapid iteration. Only the latest minor release line receives security patches.

Notes

• Development snapshots (e.g., 0.2.0.devN) receive fixes on the main branch; point releases are cut as needed.
• If a high-severity issue impacts older versions and a safe backport is feasible, we may provide a one-off patch at our discretion.

Please do NOT open public GitHub issues for security reports.

Private reporting options (preferred first):

1. GitHub Security Advisories

   • Navigate to the repository Security tab and use “Report a vulnerability” to open a private advisory: https://github.com/UrHighness01/EL---Easy-Language/security/advisories
   • This keeps the report private until a coordinated disclosure is ready.

2. If you cannot access advisories

   • You may open a minimal issue asking maintainers to initiate a private channel, without disclosing details.

Include in your report (as applicable):

• A clear description and impact assessment
• A minimal reproducer (code, inputs) and affected versions/commit SHAs
• Environment details (OS, Python version)
• Suggested fixes or mitigations if known

Response & disclosure timeline

• Acknowledgement: within 3 business days
• Triage and initial assessment: within 7 days
• Fix ETA: typically within 30 days depending on severity and complexity
• Coordinated disclosure: we’ll agree on a timeline; advisories and release notes will credit reporters unless anonymity is requested

• EL is a language/tooling project; it doesn’t run untrusted code by default. Findings limited to misconfiguration or documentation gaps may be tracked as regular issues.
• Out-of-scope items: vulnerabilities in third-party dependencies (to be reported upstream), social engineering, or issues requiring unreasonable preconditions.

Thank you for helping keep EL users safe.