| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Only the latest release receives security updates. We recommend always running the most recent version.
Please do not report security vulnerabilities through public GitHub issues.
Instead, use one of the following methods:
- GitHub Private Vulnerability Reporting (preferred): Use the "Report a vulnerability" button on the Security tab of this repository.
- Email: Send details to hello@coyote.cc
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (if applicable)
| Severity | Initial Response | Resolution Target |
|---|---|---|
| Critical | 48 hours | 14 days |
| High | 72 hours | 30 days |
| Medium | 1 week | 90 days |
| Low | 2 weeks | Best effort |
We will acknowledge receipt of your report and keep you informed of progress toward a fix.
- We follow coordinated disclosure. We ask that you give us reasonable time to address the vulnerability before making it public.
- Once a fix is released, we will publish a security advisory on this repository crediting the reporter (unless anonymity is requested).
Security patches are released as new versions. To stay informed:
- Watch this repository for releases
- Review the CHANGELOG for security-related entries
The following are in scope for security reports:
- Vulnerabilities in Coyote's scanning engine, CLI, or report generation
- Dependency vulnerabilities that affect Coyote's functionality
- Issues where Coyote could leak or mishandle secrets it discovers during scanning
- Injection vulnerabilities in report output (HTML, SARIF, JSON, Markdown)
The following are out of scope:
- Security issues in repositories that Coyote scans (those belong to the repository owner)
- Example credentials included in documentation for testing purposes
- Feature requests for additional detection rules
- Do not pipe Coyote output to untrusted systems without validating the content first
- Review HTML reports before sharing, as they may contain snippets of detected secrets
- Store reports securely since they may reference sensitive findings
- Keep dependencies updated: Run
pip install --upgrade -r requirements.txtregularly