| Version | Supported |
|---|---|
| 0.x.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Send an email to hello@ecrin.digital with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-72 hours
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
- We follow coordinated disclosure practices
- Security advisories will be published after fixes are available
- Credit will be given to reporters (unless anonymity is requested)
When using Carat Engine:
- Keep dependencies updated
- Validate all external input (assets, user data)
- Use the latest stable release
- Review shader code for potential issues
This security policy applies to:
- Carat Engine core library
- Official examples and tools
- Build system configurations
Third-party dependencies have their own security policies.