Vouch sits in the supply-chain hot path: it decides whether a tarball, wheel, jar, gem, or crate gets handed to your build. Bugs here have outsized blast radius, so I take reports seriously.

Please do not open a public GitHub issue for suspected security bugs.

Use GitHub's private vulnerability reporting for this repository. That gives us a private thread, a CVE workflow, and a coordinated-disclosure timeline.

If you cannot use the GitHub flow, email reports to the address on the maintainer's GitHub profile. PGP is available on request.

I aim to acknowledge reports within three working days and to ship a fix or mitigation within 30 days for high-severity issues. We will credit reporters in the advisory unless you ask otherwise.

In scope:

• Bypasses of cooldown, hash, or provenance policy that result in serving an artifact that should have been denied.
• Path traversal, SSRF, request smuggling, or any way to make Vouch fetch from a host other than the configured upstream.
• Trust-state downgrades or audit-log tampering.
• Resource exhaustion that takes Vouch out of service from a single authenticated or unauthenticated request.
• Container/runtime escapes from the published image.

Out of scope:

• Misconfiguration of your deployment (e.g. exposing /metrics publicly, running with policy.cooldown_days: 0).
• Findings against the public registries Vouch proxies — please report those to the registry operators (security@npmjs.com, security@pypi.org, etc.).
• Denial-of-service requiring unrealistic request volumes from privileged network positions.

Vouch is pre-1.0. Only the latest tagged release receives security fixes; I do not backport to older minor versions yet. Once we hit 1.0 this policy will be revised.