We take the security of burnless seriously. Thank you for helping keep the project and its users safe.
Security updates are applied to the latest minor release only. We do not backport fixes to older minor versions — please upgrade to the latest release to receive security patches.
| Version | Supported |
|---|---|
| Latest minor | ✅ Yes |
| Older minors | ❌ No (no backports) |
Please do not open a public issue for security reports. Public disclosure before a fix is available puts all users at risk.
Report vulnerabilities privately through either channel:
- Preferred — GitHub Private Vulnerability Reporting. Go to the repository's Security tab and click "Report a vulnerability" (Security Advisories). This keeps the report private and lets us collaborate on a fix and coordinated disclosure.
- Fallback — email security@burnless.ai.
Please include enough detail to reproduce: affected version, environment (self-host vs cloud), steps, and impact.
- Acknowledgment within ~72 hours of your report.
- Coordinated disclosure with a standard 90-day window — we'll work with you on timing so a fix is available before details go public.
- Credit is offered to reporters in the advisory and release notes (let us know if you'd prefer to remain anonymous).