Security Policy¶

Supported Versions¶

The following table indicates which versions of the project are currently receiving security updates:

Version	Supported	End-of-Support
0.4.x	✅	TBD - 0.4.x versions are Beta versions and will not be supported after the 0.5.x release.
< 0.4.0	❌	0.x.x versions are Beta versions. Only the current minor version will be supported.
< 0.2.0	❌	Proof-of-concept - not supported

We generally support:

The most recent major version with its latest minor release.
Always update to the latest version of this package to keep up with security patches. Security patches will NOT be backported to earlier releases.

Reporting a Vulnerability¶

We take security vulnerabilities seriously. We appreciate your efforts in responsibly disclosing your findings.

Reporting Process¶

Do NOT disclose security vulnerabilities publicly via GitHub issues, discussions, or pull requests.

If you believe you’ve found a security-related bug, we prefer that you fill out a vulnerability report on GitHub directly.

If you do not have a GitHub account, you may submit your report via email to security at kuhl.haus using our PGP key. UNENCRYPTED emails from UNVERIFIED senders are AUTOMATICALLY REJECTED.

Include the following details:

Description of the vulnerability
Steps to reproduce
Potential impact
Any suggested mitigation measures
Your contact information for follow-up

What to Expect¶

Initial Response: We will acknowledge your report within 48 hours.
Assessment: We aim to verify all reports within 7 days.
Regular Updates: You will receive updates on the status of your report at least once per week.
Resolution Timeline: We aim to resolve critical vulnerabilities within 30 days of verification.

Disclosure Policy¶

We follow a coordinated disclosure process:

Report remains confidential during investigation and patching.
We develop and test a fix.
We release updated versions with appropriate CVE identifiers.
Public disclosure occurs 30 days after the fix is released unless otherwise agreed.

Recognition¶

We gladly acknowledge security researchers who report valid vulnerabilities.
With your permission, we’ll add your name to our security acknowledgments page.

Security Best Practices Used in This Project¶

Automated Security Testing: All commits to the mainline branch undergo automated CodeQL scanning.
Regular Dependency Updates: We use Dependabot automation to keep dependencies updated. Dependabot Updates
Supply Chain Security: We sign releases, use artifact verification, and publish to PyPI with a Trusted Publisher.

PGP Key¶

UNENCRYPTED emails from UNVERIFIED senders are AUTOMATICALLY REJECTED.

For encrypted communication, please use our PGP key.

Security Contact:  security at kuhl.haus
Fingerprint: 74d6f5d19c1747729c4c4d8403262a29b12a7124
Key type: ECC (Curve25519)

Safe Harbor¶

We consider security research conducted in good faith to be:

Authorized and legal
Exempt from legal action

The following activities are prohibited:

Denial of service testing
Social engineering attacks
Testing of physical security
Accessing or modifying data of other users

Security Updates¶

Security updates will be announced via:

GitHub Security Advisories
Our project newsletter or mailing list
Release notes

Subscribe to these channels to stay informed about security updates.

This security policy is based on industry best practices for responsible disclosure and vulnerability management in open-source software.