The Karta maintainers take security seriously. We appreciate your efforts to responsibly disclose any security vulnerabilities you find.
Security fixes are applied to the latest released minor version. While Karta is pre-1.0, only the most recent release receives security updates.
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub Security Advisories.
Please include a description of the vulnerability, steps to reproduce, affected versions, and any potential impact.
We aim to acknowledge and investigate reports in a timely manner, share an initial assessment of severity and next steps, and keep you informed of progress. We will coordinate a disclosure timeline with you before any public announcement.
We kindly ask reporters to allow a reasonable timeframe for a fix before any public disclosure.
The following are generally not considered reportable vulnerabilities:
- Issues caused by misconfiguration of a self-hosted deployment.
- Vulnerabilities in third-party dependencies that do not affect Karta directly (please report those to the upstream project).
- Reports from automated scanners without a demonstrated, exploitable impact.
We are happy to credit reporters in the release notes for the fix unless you prefer to remain anonymous. Please let us know your preference when you report.