| Version | Supported |
|---|---|
| 0.9.x | Yes |
| < 0.9 | No |
If you discover a security vulnerability in decoy-tripwire, please report it responsibly.
Email: security@decoy.run
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
What to expect:
- Acknowledgment within 48 hours
- Status update within 5 business days
- Credit in the advisory (unless you prefer anonymity)
Please do not:
- Open a public GitHub issue for security vulnerabilities
- Share details publicly before a fix is released
This policy covers the decoy-tripwire npm package, including the CLI (bin/cli.mjs) and MCP server (server/server.mjs).
Issues in the Decoy cloud service (app.decoy.run) should also be reported to security@decoy.run.