Thank you for your interest in helping to keep Azle secure.

If you think that you have found a security vulnerability, we ask you to reach out to us privately according to the guidelines found in this security policy. We also ask that you refrain from opening any GitHub issues related to or publicly discussing any specific security vulnerability found in Azle until it has been resolved and publicly acknowledged by Demergent Labs.

We will only update Azle in response to security vulnerabilities found in its latest stable GitHub release and corresponding published npm version.

To report a security vulnerability in Azle, please open a draft security advisory using GitHub's vulnerability reporting tool. If, for any reason, you cannot open a draft security advisory, please send an email to [email protected] without disclosing any details about the security vulnerability. You will be sent information to set up a secure channel for further communication.

Once Demergent Labs has received the initial necessary information from you, we will do the following:

1. Respond privately to you within 3 business days.
2. Remain in regular private contact with you to share our progress and ask for appropriate information and guidance.
3. Perform our own assessment of the vulnerability according to CVSS v4.
4. Address vulnerabilities assessed as Critical or High as soon as possible, culminating in a published GitHub security advisory, an assigned CVE ID, and a new release of Azle.
5. Address vulnerabilities assessed as Medium or lower at our discretion.

We are very grateful to all who work to make Azle more secure. That being said, there are currently no bounties or rewards available for reporting vulnerabilities in Azle. We will credit you by mentioning the name or username of your choice in the published security advisory unless you choose to opt out.