| Version | Supported |
|---|---|
| 0.x.x | ✅ |
Do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- Email: security@hyperpolymath.org (preferred)
- GitHub Security Advisories: Create a private advisory
- Type of vulnerability (buffer overflow, injection, etc.)
- Full path to affected source file(s)
- Step-by-step instructions to reproduce
- Proof-of-concept or exploit code (if available)
- Impact assessment
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution target: Within 90 days (may vary based on severity)
We consider security research conducted in accordance with this policy to be:
- Authorized
- Lawful
- Helpful
We will not pursue legal action against researchers who follow this policy.
This project implements:
- Dependabot alerts enabled
- CodeQL static analysis
- OpenSSF Scorecard compliance
- Signed commits required
- Branch protection enabled
- Formal verification (Idris 2 dependent types)
- Security audit (planned for 1.0)
The core Idris 2 code is formally verified. However:
- Language bindings (Python, Rust, JS) are human-written and may contain bugs
- FFI boundaries are potential attack surfaces
- Build toolchain (Zig, C compiler) is not verified
Report issues in any layer — we take all security concerns seriously.