Security fixes are provided on a best-effort basis for the latest code paths.
| Version | Security Support |
|---|---|
| Latest stable release | Yes |
| main branch | Yes |
| Older releases | No |
If you are on an older release, upgrade to the latest version before reporting or validating a fix.
Please do not open public GitHub issues for security vulnerabilities.
We appreciate your efforts to responsibly disclose your findings. We will make every effort to respond quickly and address concerns.
Use GitHub private vulnerability reporting:
Include the following details in your report:
- A clear description of the issue and impact
- Affected version, OS, and environment details
- Exact reproduction steps or proof of concept
- Any suggested remediation (optional)
After receiving a report, maintainers will:
- Acknowledge receipt as soon as possible (target: within 7 business days).
- Validate and assess severity.
- Prepare and test a fix.
- Coordinate disclosure and release notes.
Resolution timelines depend on complexity and maintainer availability, but critical issues are prioritized first.
- Please keep vulnerability details private until a fix is available.
- Once fixed, maintainers may publish a security advisory with affected versions and mitigation guidance.
This policy covers vulnerabilities in:
- Boiler CLI source code
- Official install scripts in scripts/
- Officially maintained remote-fetching integrations
Third-party dependency vulnerabilities may need to be reported upstream in addition to this repository.