| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
If you discover a security vulnerability in coverctl, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainer directly or use GitHub's private vulnerability reporting
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: Within 24-48 hours
- High: Within 7 days
- Medium/Low: Next regular release
When using coverctl:
- Keep coverctl updated to the latest version
- Review
.coverctl.yamlbefore running in CI pipelines - Avoid storing sensitive information in coverage reports
- Use the
--configflag to specify trusted configuration files
This security policy covers:
- The coverctl CLI tool
- The coverctl GitHub Action
- Official documentation and examples
Third-party integrations and forks are outside the scope of this policy.
- MCP threat model and sanitization boundaries:
docs/security/mcp-threat-model.md