We provide security updates for the latest release and the main branch. Older versions are not supported.

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT file a public GitHub issue for security vulnerabilities
2. Email: Send details to security@star.ga
3. Alternative: Contact the repo owner (@cputer) directly via GitHub's private vulnerability reporting

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested fixes (optional)

• We follow coordinated disclosure practices
• Credit will be given to reporters (unless anonymity is requested)
• We aim to release fixes before public disclosure
• Critical vulnerabilities may receive expedited handling

When using MIND in production (as a dependency in your own applications):

1. Pin dependencies: Commit your application's Cargo.lock to ensure reproducible builds
2. Verify checksums: Validate release artifacts before deployment
3. Sandbox execution: Run compiled MIND programs in isolated environments
4. Audit inputs: Validate all external data before processing
5. Update regularly: Keep MIND and dependencies up to date

• cargo deny check runs on all PRs for license and advisory checks
• Clippy with -D warnings enforces safe Rust patterns
• No unsafe code in core compiler paths

This security policy covers:

• The MIND compiler (mindc)
• The MIND interpreter (mind)
• Core library (src/)
• Build tooling and CI

Out of scope:

• Third-party dependencies (report to upstream)
• The proprietary mind-runtime (separate policy)
• Example code and documentation

• Security issues: security@star.ga
• General inquiries: info@star.ga
• Repository owner: @cputer