| Version | Supported |
|---|---|
| main | ✅ |
| develop | ✅ |
| < 1.0 | ❌ |
We provide security patches for the current main and develop branches. Older versions and unreleased branches are not supported.
Do not open a public issue. Report security vulnerabilities privately:
- Email:
git@kyaulabs.com - Subject:
[SECURITY] pulsar - <brief description>
Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Affected versions/components
- Proof-of-concept or exploit code (if available)
- Suggested remediation (if available)
| Milestone | Target |
|---|---|
| Acknowledgment | 7 calendar days |
| Initial assessment | 14 calendar days |
| Patch available | 90 calendar days (or sooner) |
| Public disclosure | After patch is available and users have had time to update |
We will keep you informed of progress and coordinate disclosure timing.
The security policy covers:
- Harness code: scripts, agents, skills, commands under
.opencode/,scripts/,playbooks/,roles/ - Secrets management: ansible-vault usage,
.envhandling, credential storage - SSH configuration: key management, cipher selection, access controls
- Firewall rules: nftables/ufw/firewalld configurations generated or managed by the harness
- CI/CD pipeline: GitHub Actions workflows, hooks, and automation
- Vulnerabilities in third-party dependencies (report to the upstream project)
- Issues caused by misconfiguration by the operator (unless the harness enables unsafe defaults)
- Social engineering or phishing attacks
We maintain a Hall of Fame for security researchers who responsibly disclose valid vulnerabilities. With your permission, we will acknowledge your contribution in:
- The security advisory
- Release notes
SECURITY.mdacknowledgments section
Disclosure coordination is handled on a case-by-case basis. We follow the principle of coordinated vulnerability disclosure (CVD) and will not disclose details before a patch is available unless mutually agreed.