Security fixes are prioritized according to the support policy in
docs/contracts/support-policy.md.
| Release channel | Security support status |
|---|---|
| Current (N) | Full security fixes and advisories |
| Maintenance (N-1) | Critical/high fixes and selected medium fixes |
| LTS | Security and stability fixes per LTS policy |
| EOL | No security fixes (upgrade required) |
Please do not open public issues for suspected vulnerabilities.
Report privately to: security@freetakteam.org with:
- Affected component(s) and version/commit.
- Reproduction details or proof-of-concept.
- Impact statement and expected security boundary.
- Any suggested mitigations.
Initial response targets:
- Acknowledge receipt within 24 hours.
- Complete initial triage within 72 hours.
- Provide remediation plan or mitigation guidance within 7 days.
Coordinated disclosure steps:
- Intake and severity assignment.
- Reproduction and impact confirmation.
- Patch and backport planning.
- Advisory publication and migration guidance.
Detailed execution runbook:
docs/runbooks/cve-response-workflow.md
For confirmed vulnerabilities:
- Assign internal incident ID and tracking issue.
- Request CVE identifier when required.
- Publish remediation advisory with fixed versions and upgrade path.
- Update migration notes and release notes if contract/behavior changes.
- Security issues in third-party dependencies are tracked through dependency advisories and triaged for impact on supported releases.
- Reports that only affect unsupported/EOL versions may be closed with upgrade guidance.