Skip to content

Reporting a vulnerability

Please report security vulnerabilities privately through GitHub's private vulnerability reporting, not a public issue. Reports are acknowledged, investigated, and a fix and coordinated disclosure follow.

Supported versions

notenv is pre-1.0 and developed on a rolling basis; security fixes land on the latest release. Run a recent version.

Scope

The threat model describes what notenv defends and, explicitly, what it does not. A report that a documented non-goal is undefended is not a vulnerability; a report that a stated guarantee does not hold is, and is welcome.