If you discover a security vulnerability, do not open a public issue.
Email: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix timeline depends on severity
We practice coordinated disclosure:
- Reporter notifies us privately
- We assess and develop a fix
- We release the fix
- Public disclosure after patch is available
This policy covers:
- The HoTTGo kernel (
kernel/) - The evaluation engine (
internal/eval/) - CLI tools (
cmd/)
For issues in dependencies, report upstream.
Only the latest release is actively supported with security updates.
- Performance problems
- Feature requests
- Documentation errors
Use regular GitHub issues for these.