Security Policy

This document outlines the security policy for all of the libraries in this repository.

If you believe that you have found a vulnerability in Enso or one of its libraries, please see the section on reporting a vulnerability below.

Supported Versions

Security updates for these libraries are provided for the versions shown below with a :white_check_mark: next to them. No other versions have security updates provided.

Version Supported
latest release :white_check_mark:
* :x:

Reporting a Vulnerability

If you believe that you’ve found a security vulnerability in one of the libraries maintained in this repository, please contact security@enso.org and provide details of the bug.

You can expect an update on a reported vulnerability within one business day, and the timeline works as follows:

  1. We analyse your report to determine the risk posed by the vulnerability, and our further steps forward. This may involve asking for more information.
  2. We will email the submitter with our verdict as to whether it is, or isn’t a vulnerability, as well as the severity if it is.
  3. We plan and outline any steps necessary to fixing the bug, including the timeline for fixing the vulnerability within 90 days.
  4. We will communicate the planned fix with the person who submitted the vulnerability report.
  5. We will fix the bug and communicate with the submitter when the fix has landed on main, and when it has been backported to the above supported versions.
  6. The submitted may then disclose the bug publicly.

All communication will take place via email with a member of our team.