Stele is an audit-native engine intended for sensitive, regulated data, so we take security seriously even at this early stage. See 10 — Security & Compliance for the full model.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use one of:
- GitHub private vulnerability reporting — open a private advisory (preferred).
- Email — security@steledb.com.
Please include: a description of the issue, steps to reproduce or a proof-of-concept, affected version/commit, and any suggested remediation.
- We aim to acknowledge a report promptly and keep you updated as we investigate.
- We practice coordinated disclosure: we'll work with you on a fix and a disclosure timeline, and credit you (with your permission) in the advisory.
- Please give us reasonable time to remediate before any public disclosure.
Pre-1.0, only the latest released version (and main) receives security fixes. A formal support policy arrives at v1.0.
Stele currently holds no production data and is in design/early development. Reports about the engine, its dependencies (supply chain), and the build/release pipeline are all in scope.