If you discover a security vulnerability in this project, please report it to security@postgres.ai. All reports are thoroughly investigated by the project maintainers.

• You think you have discovered a potential security vulnerability in this project or related components.
• You are unsure how a vulnerability affects this project.
• You think you discovered a vulnerability in another project that this project depends on.
• You want to report any other security risk that could potentially harm users.

• Your issue is not security related.

Each report is acknowledged and analyzed by the project maintainers and the security team within 3 working days.

The reporter will be kept updated at every stage of the issue's analysis and resolution (triage → fix → release).

A public disclosure date is negotiated by the maintainers (security@postgres.ai) and the bug submitter. We prefer to fully disclose the bug as soon as possible once user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the timeframe between a report and public disclosure to typically be in the order of 7 days.