If you discover a security vulnerability in Coleman, please report it responsibly.

Do not open a public GitHub issue.

Instead, please send an email to jacksonpradolima@gmail.com with:

• A description of the vulnerability.
• Steps to reproduce the issue.
• Any potential impact or severity assessment.

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation plan within 7 days of confirmation.

• We follow coordinated disclosure.
• Security fixes will be released as patch versions.
• A security advisory will be published on GitHub once the fix is available.

This policy applies to the coleman Python package and its dependencies as distributed through this repository. Third-party dependencies are managed via uv and pinned in uv.lock.

The experiment system adds two new direct dependencies:

All YAML loading uses yaml.safe_load() — untrusted YAML with arbitrary Python constructors is never evaluated.

Thank you for helping keep Coleman safe.