As the project is in early development (pre 1.0), only the latest release receives security updates. Please ensure you are running the most recent version before reporting a vulnerability.

Please do not report security vulnerabilities through public issues, pull requests, or any other public channels.

Instead, please open a confidential issue on Codeberg (tick "this issue is confidential" before submitting). This ensures the details remain confidential until a fix is available.

When reporting, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof of concept
• The version(s) affected
• Any suggested fix, if available

• Acknowledgement within 72 hours of your report
• Status update within 7 days with an initial assessment
• Resolution target of 30 days for confirmed vulnerabilities, though critical issues will be prioritized for faster turnaround

If the vulnerability is accepted, we will work on a fix, coordinate disclosure with you, and credit you in the release notes (unless you prefer to remain anonymous).

If the vulnerability is declined, we will provide a clear explanation of why.

This policy applies to the code-graph-rag Python package and its official repository. Third party dependencies are outside the direct scope of this policy, though we use Dependabot to monitor and update them.

• Dependency scanning: Dependabot is enabled for automated dependency updates
• Secret scanning: GitHub secret scanning is active on this repository
• Branch protection: The main branch requires pull request reviews before merging

We accept security reports in English.