Use GitHub's private vulnerability reporting to report security issues: navigate to the repository's Security tab -> Advisories -> Report a vulnerability.
If GitHub private reporting is unavailable, email:
security@lattice-substrate.org (listed in NOTICE).
Do not open public issues for unpatched vulnerabilities.
Include:
- affected version and environment
- reproduction steps and input sample
- observed impact
- suggested mitigation (if known)
| Stage | Target |
|---|---|
| Initial acknowledgment | 5 business days |
| Severity triage | 10 business days |
| Fix available (Critical/High) | 30 calendar days |
| Fix available (Medium/Low) | 90 calendar days |
Security fixes are provided for:
- latest release on the default branch
- previous minor release line (when one exists)
Older versions receive no security updates.
- Maintainers acknowledge receipt and triage severity.
- A fix is developed and validated in CI.
- A coordinated release is published with notes and upgrade guidance.
- Public disclosure follows release availability.