If you have found a security vulnerability, we kindly ask that you disclose it responsibly by emailing security@nicolson.scot. Optionally, if you are using an insecure network and wish to protect your communications, you can use our PGP key. Please do not discuss potential vulnerabilities publicly without validating them with us first.

Please note that the email address does not send automated responses. Upon receiving a report, our team will:

• Review the report, verify the vulnerability, and respond with confirmation and/or further information requests. We aim to reply within 5 business days.
• Notify the reporter once the security issue has been addressed, at which point they are welcome to disclose it publicly if they wish.

We will only respond to emails that clearly describe the issue or vulnerability. Please provide detailed information in your initial contact so that we can proceed effectively.

The project is currently in early production. This means that all code up to version 1.0 qualifies for security patches. Our commitment to patch older versions depends on their backward compatibility with the current codebase, as some code may diverge over time. For more details about specific scenarios, please feel free to contact us.

For example, if you discover a vulnerability in version 0.2.1 and the current release is at version 4.0, the older version (0.2.1) will still be patched.