Coffer is pre-v1; only main is supported. Pinned older versions receive no security backports.
Do not open a public GitHub issue for security findings.
Two private channels:
- GitHub Private Vulnerability Reporting (preferred): open a report at https://github.com/wyx-sg/Coffer/security/advisories/new. Authenticated users see a "Report a vulnerability" button on the Security tab.
- Email: hutwyx@gmail.com. Encrypt with the maintainer's public PGP key if you have it; otherwise plain text is acceptable for non-critical findings.
- Affected commit or version.
- Reproduction steps (minimal repo, log excerpt).
- Impact assessment.
- Suggested mitigation, if any.
- Acknowledgement: within 72 hours.
- Triage / first response: within 7 days.
- Fix / disclosure timeline: agreed case-by-case; typical 30–90 days.
Coffer is single-maintainer pre-v1 — response time is best-effort, not SLA-guaranteed.