Before the first public release, the current main branch is the supported security baseline for Tractatus. After public releases begin, we generally support the latest released minor and the immediately previous minor of the transport contracts and generated Go bindings.
Because Tractatus is consumed by multiple operators and SDKs, keep those dependencies up to date as well.
The BubuStack team and community take all security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security vulnerability, please use the GitHub Security Advisory feature in this repository:
Please report security vulnerabilities only through GitHub Security Advisories in this repository. Do not email maintainers and do not open public GitHub issues.
When reporting a vulnerability, please provide the following information:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce the vulnerability, including any example code, scripts, or configurations.
- The version(s) of the module or generated artifacts affected.
- Your contact information for us to follow up with you.
- Report: You report the vulnerability through the GitHub Security Advisory feature.
- Confirmation: We will acknowledge your report within 48 hours.
- Investigation: We will investigate the vulnerability and determine its scope and impact. We may contact you for additional information during this phase.
- Fix: We will develop a patch for the vulnerability and update any generated artifacts if necessary.
- Disclosure: We will create a security advisory, issue a CVE (if applicable), and release a new version with the patch. We will credit you for your discovery unless you prefer to remain anonymous.
We aim to resolve high severity vulnerabilities within 30 days, medium within 60 days, and low within 90 days, subject to complexity and scope. We will keep you informed of our progress throughout the process.