The project is currently pre-v1.0.
Security fixes are provided on a best-effort basis for the latest main branch state.
| Version/Branch | Supported |
|---|---|
main |
Yes |
Tagged pre-v1.0 releases |
Best effort (upgrade to latest recommended) |
v1.0+ (future) |
Policy will be updated at first stable release |
Do not open a public issue for suspected vulnerabilities.
Preferred reporting channels:
- GitHub Security Advisories:
Security -> Advisories -> Report a vulnerability - Email fallback:
security@manopola.dev
Include:
- affected component(s) and version/commit
- reproduction steps or PoC
- impact assessment (confidentiality/integrity/availability)
- tested mitigations/patches
- whether public credit is requested
Target response windows:
- acknowledgement: within 3 business days
- triage decision: within 7 business days
- mitigation/fix plan: as soon as practical based on severity
Process:
- Confirm receipt and start private triage.
- Reproduce and classify severity.
- Prepare and validate fix/mitigation.
- Coordinate disclosure timing with reporter.
- Publish advisory/release notes and credit (if requested).
In-scope areas:
- Host runtime (
mama/) input parsing and serial handling - Setup UI/API and config persistence paths
- Build/release artifact integrity process
Out-of-scope by default (unless chained with in-scope impact):
- purely physical attacks requiring direct device access
- custom local-environment misconfiguration