This document explains how to report vulnerabilities in LangRoute and what to expect.

Please report security issues privately.

• GitHub Security Advisories: Use the repository's Security tab and click Report a vulnerability: https://github.com/bluewave-labs/LangRoute/security/advisories/new
• TODO: Add a project security email for reports once available.

Please do not open public issues for security problems.

When reporting, please include:

• Affected version or commit
• Environment and system details
• Steps to reproduce or proof-of-concept
• Potential impact
• Suggested severity (CVSS vector if known)

• We will acknowledge receipt within 3 business days (TODO: confirm window).
• We will send status updates at least weekly until the issue is resolved (TODO: confirm cadence).
• Target timelines for fixes:
  • Critical: 7–14 days (TODO: confirm)
  • High: 14–30 days (TODO: confirm)
  • Medium/Low: scheduled as appropriate, typically <90 days (TODO: confirm)

We follow coordinated disclosure. We prefer to work with researchers on a mutually agreed timeline that balances user safety with transparency. Reporters will be credited after a fix is released if desired; anonymity will be respected.

We support good-faith security research that:

• Makes a good-faith effort to avoid privacy violations, data destruction, and service disruption
• Does not exfiltrate data beyond what is necessary to demonstrate the vulnerability
• Does not use social engineering, physical attacks, or denial of service (volumetric or resource exhaustion)
• Complies with applicable laws

If you are unsure whether an action is acceptable, contact us first.

In scope: vulnerabilities in this repository and official LangRoute deployments.

Out of scope:

• Denial of service without novel attack techniques
• Automated scans or brute force attacks without proof of exploit
• Issues in third-party dependencies without an exploitable path through LangRoute
• Best-practice recommendations without direct security impact

If you need to encrypt your report, TODO: provide a project email and PGP key when available.

Thank you for helping keep LangRoute and its users safe.