Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Use one of the private channels instead:
-
GitHub Security Advisory (preferred). Open a private advisory. This creates a private thread visible only to you and the Synheart maintainers.
-
Email. Send details to
security@synheart.ai. Encrypt sensitive content if possible.
Please include:
- A description of the vulnerability and its impact.
- Steps to reproduce, or a proof-of-concept.
- Affected versions, if known.
- Your contact information for follow-up.
- We aim to acknowledge new reports within 3 business days.
- We will keep you informed as we investigate and develop a fix.
- We will coordinate disclosure with you. Please do not publish details until a fix is released.
- We credit reporters in the release notes unless you prefer to remain anonymous.
This policy covers the synheart_core SDK published from this repository. Issues
in unrelated dependencies should be reported upstream to their maintainers.
- Vulnerabilities requiring physical access to an unlocked device.
- Reports generated solely from automated scanners without a working proof-of-concept.
- Issues in example/demo code clearly marked as non-production.