| Version | Supported |
|---|---|
| latest | Yes |
We only provide security fixes for the latest release.
If you discover a security vulnerability, please report it responsibly. Do not open a public GitHub issue.
Email security@zosma.ai with:
-
A description of the vulnerability
-
Steps to reproduce
-
Any relevant logs or screenshots
-
Your suggested severity (critical, high, medium, low)
We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.
-
We follow coordinated disclosure. We ask that you give us a reasonable window (typically 90 days) to address the issue before public disclosure.
-
Once a fix is released, we will publish a security advisory on GitHub.
-
Credit will be given to reporters unless they prefer to remain anonymous.
This policy applies to the OpenZosma repository and any officially maintained packages within this monorepo. Third-party dependencies are outside our direct scope, but we will work to address transitive vulnerabilities promptly.