If you discover a security vulnerability in Hew, please report it responsibly.
Do not open a public issue. Instead, email security@hew.sh with:
- A description of the vulnerability
- Steps to reproduce, if possible
- The affected version(s)
We will acknowledge receipt within 48 hours and aim to provide an initial assessment within one week.
This policy covers:
- The Hew compiler (
hew,hew-codegen) - The Hew runtime (
libhew_runtime) - The package manager (
adze) - The standard library (
std/) - The package registry infrastructure
| Version | Supported |
|---|---|
| 0.1.x | Yes |
We follow coordinated disclosure. We will work with reporters to agree on a disclosure timeline, typically 90 days from the initial report.