Security policy

Reporting a vulnerability

Please do not open a public GitHub issue for suspected security vulnerabilities.

Instead, report security issues privately to the maintainers using the contact path documented in MAINTAINERS.md, or the repository security advisory workflow if enabled on GitHub.

When reporting, please include:

  • affected component (kl, kld, klc, docs, compose)
  • reproduction steps or proof of concept
  • impact assessment
  • version / commit tested
  • any suggested mitigations if known

Scope

We care especially about issues involving:

  • authentication and authorization boundaries
  • control-plane or runtime privilege escalation
  • tenant or environment isolation failures
  • direct database exposure or bypass of API-only client boundaries
  • leakage of sensitive state or secrets
  • unsafe rollback/query behavior that crosses expected tenant or environment scope

Response expectations

We will try to:

  • acknowledge the report promptly
  • assess severity and blast radius
  • coordinate a fix and disclosure plan
  • credit reporters where appropriate, unless they prefer not to be named

Supported release posture

This project is still evolving quickly. In general, the main branch and the most recent tagged release should be treated as the supported baseline unless stated otherwise.