Only the latest release is supported. There is no long-term-support line.
Do NOT open a public issue for security reports.
Email quentin.delettre@pm.me with:
- A description of the issue
- Steps to reproduce, or a proof-of-concept
- Affected version (commit SHA or tag)
- Your name/handle if you'd like credit
You'll get an acknowledgment within 7 days. Expected timelines for a fix depend on severity:
- Critical (arbitrary command execution via a hook/script, credential exposure): aim for 7 days
- High (unexpected data exfiltration from a transcript or finding file): 30 days
- Medium / low: best-effort
This is a solo-maintained project. Response times above are intentions, not guarantees.
Coordinated disclosure preferred. Once a fix lands, the issue is documented in the release notes. Credit given on request.