| Version | Supported |
|---|---|
| 1.x.x | Yes |
| < 1.0 | No |
Please do not report security vulnerabilities through public issues.
Instead, report them by email to: hello@lightlib.org
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Affected versions (if known)
- Suggested fix (if any)
- Proof-of-concept code (if possible)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity (typically 30-90 days)
- Public disclosure: After fix is released
We follow coordinated disclosure:
- You report the issue privately by email
- We confirm and investigate the vulnerability
- We develop and test a fix
- We release the patch
- We publicly disclose with credit to the reporter (unless anonymity requested)
| Severity | Response Time | Fix Timeline |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 30 days |
| Medium | 7 days | 60 days |
| Low | 14 days | 90 days |
- Vulnerabilities in lightlib source code
- Security issues in build configuration
- Dependency vulnerabilities (reported to us, we will update)
- Third-party dependency issues (report upstream)
- Issues requiring physical access to a user's system
- Social engineering attacks
- Theoretical vulnerabilities without proof of concept
- Denial of service issues (unless critical)
We appreciate security researchers and will credit reporters in:
- Security advisories (published on GitVerse)
- Release notes
- CHANGELOG.md
Credit can be anonymous if requested.
lightlib is licensed under LGPL-3.0-or-later.
Thank you for helping keep lightlib and its users safe.