Phasmid is a prototype project. Security fixes are prioritized for the latest main branch and the latest tagged release line (if tags are present).

Older snapshots may not receive backported fixes.

Please report vulnerabilities privately to:

• Email: appleseedj073@gmail.com
• PGP fingerprint: 3B25 D2EE 9084 FAF4 7525 86FA CA32 EA9B 9038 7A39
• Public key: docs/keys/security@phasmid.asc

When possible, include:

• affected commit or release
• reproducible steps
• impact assessment
• whether exploitation requires local host compromise

• Initial acknowledgement target: within 7 calendar days
• Triage target: within 14 calendar days
• Fix target (if accepted): best effort, usually 30–90 days depending on severity and complexity
• Coordinated disclosure publication: after fix availability or explicit maintainer statement

These windows are best-effort for a single-maintainer project and can vary.

Phasmid currently operates with a bus factor of 1.
Response time can be delayed by maintainer availability. In worst-case scenarios, an explicit EOL (end-of-life) declaration may be issued if sustained maintenance is no longer feasible.