Skip to content

Security: run-ai/karta

SECURITY.md

Security Policy

The Karta maintainers take security seriously. We appreciate your efforts to responsibly disclose any security vulnerabilities you find.

Supported Versions

Security fixes are applied to the latest released minor version. While Karta is pre-1.0, only the most recent release receives security updates.

Version Supported
Latest release
Older releases

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via GitHub Security Advisories.

Please include a description of the vulnerability, steps to reproduce, affected versions, and any potential impact.

What to expect

We aim to acknowledge and investigate reports in a timely manner, share an initial assessment of severity and next steps, and keep you informed of progress. We will coordinate a disclosure timeline with you before any public announcement.

We kindly ask reporters to allow a reasonable timeframe for a fix before any public disclosure.

Out of scope

The following are generally not considered reportable vulnerabilities:

  • Issues caused by misconfiguration of a self-hosted deployment.
  • Vulnerabilities in third-party dependencies that do not affect Karta directly (please report those to the upstream project).
  • Reports from automated scanners without a demonstrated, exploitable impact.

Credit

We are happy to credit reporters in the release notes for the fix unless you prefer to remain anonymous. Please let us know your preference when you report.

There aren't any published security advisories