This document outlines the security policy for Enso and its libraries.
If you believe that you have found a vulnerability in Enso or one of its libraries, please see the section on reporting a vulnerability below.
Security updates for Enso are provided for the versions shown below with a next to them. No other versions have security updates provided.
Please see our release policy for more information on how we support released versions.
Reporting a Vulnerability
If you believe that you’ve found a security vulnerability in the Enso codebase or one of the libraries maintained in this repository, please contact firstname.lastname@example.org and provide details of the bug.
You can expect an update on a reported vulnerability within one business day, and the timeline works as follows:
- We analyse your report to determine the risk posed by the vulnerability, and our further steps forward. This may involve asking for more information.
- We will email the submitter with our verdict as to whether it is, or isn’t a vulnerability, as well as the severity if it is.
- We plan and outline any steps necessary to fixing the bug, including the timeline for fixing the vulnerability within 90 days.
- We will communicate the planned fix with the person who submitted the vulnerability report.
- We will fix the bug and communicate with the submitter when the fix has
main, and when it has been backported to the above supported versions.
- The submitted may then disclose the bug publicly.
All communication will take place via email with a member of our team.