Thanks for taking the time to help keep this project secure! 🙏
Volga is currently in 0.x and maintained by a small team, so the security
process is intentionally lightweight.
During the 0.x stage, we generally support security fixes only for the latest released version.
- ✅ Supported: latest
0.x.y - ❌ Not supported: older
0.x.yversions (no backports)
In practice, security fixes are published as part of the next release.
If a fix is important, we may ship a quick patch release - but we typically
won’t maintain intermediate versions once a newer release is available.
If you believe you’ve found a security issue, please do not open a public issue right away.
Instead, report it privately:
- Open a GitHub Security Advisory (preferred), or
- Contact the maintainer via the repository’s listed contact channels.
Please include:
- A clear description of the issue
- Impact and severity (if known)
- Steps to reproduce / PoC (if available)
- Affected versions and environment details
We aim to:
- acknowledge reports within a reasonable time,
- assess impact and decide on a fix,
- publish a release containing the fix,
- credit the reporter (if desired).
If the issue is already public or actively exploited, we may prioritize a faster release.
We appreciate responsible disclosure and will work with you on a reasonable timeline for releasing details once a fix is available.