rtdfeatures follows a latest-stable support policy:
- The most recent stable release receives security fixes.
- Older releases may not receive security updates.
Please do not open public issues for suspected vulnerabilities.
- Private report email: security@merryweather.dev
- Include: affected version, reproduction steps, impact, and any known mitigations.
- Acknowledgement target: within 5 business days
- Triage target: initial severity/risk assessment after acknowledgement
- Remediation and disclosure: coordinated disclosure after a fix is available
This repository maintains a minimum public-release security baseline:
- Static security checks are run where supported by the active repository plan
- Dependency audit runs in CI via
pip-auditin.github/workflows/ci.yml
Repository-level secret scanning and push protection should be enabled in GitHub settings when available for the repository plan.