The latest released version of each plusUltra Tools repository is supported. Older versions receive no security patches; please upgrade.

Email plusultra.dev@proton.me with: affected repository and version, reproduction steps or proof of concept, and impact assessment.

PGP is welcome but not required.

• Acknowledgement: within 5 business days
• Triage + initial assessment: within 10 business days
• Fix or coordinated disclosure plan: within 30 days for high-severity, 90 days for low-severity

Good-faith security research conducted under this policy will not be pursued under DMCA, CFAA, or equivalent laws. Scope is limited to plusUltra Tools repositories under the plusultra-tools GitHub org and the plusultra.dev domain.

• Social engineering of plusUltra Tools maintainers
• Denial-of-service attacks
• Findings already publicly disclosed in upstream dependencies (report those upstream first)