Thanks for reporting vulnerabilities responsibly. This document describes scope, contact, and expectations.
Vitte is experimental. We prioritize issues affecting the main branch and the latest published release.
Please avoid public disclosure before a fix is available. A useful report includes:
- Clear description of the issue
- Steps to reproduce
- Minimal PoC
- Estimated impact (RCE, data leak, DoS, etc.)
- Affected version/commit
- Environment details (OS, toolchain, flags)
- Open a private issue if possible
- Otherwise open a public issue without sensitive details, and request a private channel
- Acknowledgement: within 72h
- Initial triage: within 7 days
- Fix or plan: as soon as possible based on severity
In scope:
- Vitte compiler
- Vitte runtime
- Standard library
- Official tooling (scripts in
tools/, editor integrations)
Out of scope:
- Third‑party dependencies (OpenSSL, libcurl, etc.)
- Local modifications or unofficial forks
- Do not exploit in production
- Do not exfiltrate real data
- Keep PoC minimal
No bug bounty at the moment. Security contributors can be credited in release notes on request.
If you need encrypted contact, propose a public key and we will respond with ours.
Can I publish after a fix ships?
Yes, after coordinated disclosure.
What if I’m unsure it’s a vulnerability?
Send it anyway; we’ll triage.