Only the latest tagged release receives security updates. Older versions are not patched; please upgrade.

If you discover a security vulnerability in HexaKit, please report it privately:

• Email: kooshapari@kooshapari.com
• GitHub: Open a private security advisory via the Security tab on this repository
• DO NOT open a public issue, PR, or discussion for security vulnerabilities
• DO NOT disclose the vulnerability publicly until we have issued a fix and an advisory

We aim to acknowledge new reports within 3 business days and to issue a fix or mitigation within 30 days for critical issues.

1. Report received - maintainer acknowledges and assigns a CVE-style tracking ID.
2. Triage - severity assessed (Critical / High / Medium / Low) using CVSS 3.1.
3. Patch development - fix authored in a private fork; CI validates the fix.
4. Coordinated disclosure - embargo window negotiated (default 90 days from report).
5. Public advisory - GitHub Security Advisory + CVE assignment + release notes.

• Critical / High: patch release within 7 days; GHSA published simultaneously
• Medium: patch release within 30 days
• Low: bundled into next regular release

Cadence is codified in ADR-042 (security audit cadence, monthly sweep via scripts/audit.sh).

In scope:

• The HexaKit source tree on the default branch
• Tagged releases on the default branch
• Pre-built artifacts published from CI (crates.io / PyPI / npm / Go modules)

Out of scope:

• Issues in transitive dependencies (report upstream)
• Issues requiring physical access to the user's machine
• Denial-of-service via resource exhaustion in user-supplied inputs (best-effort mitigation only)

This repository runs the following security tooling on every push and weekly cron:

• cargo audit / pip-audit / npm audit / govulncheck - dependency CVE scanning
• gitleaks - secret detection (.gitleaks.toml allowlists known false positives)
• trivy - image and filesystem vulnerability scanning
• cargo-cyclonedx / syft - SBOM generation (CycloneDX format)
• slsa-github-generator - SLSA Build Level 3 provenance attestation
• CodeQL - static analysis for the primary language

See .github/workflows/security.yml and scripts/audit.sh for full configuration.

• All dependencies pinned via lockfile (Cargo.lock / poetry.lock / package-lock.json / go.sum)
• dependabot.yml configured for security-only updates (see .github/dependabot.yml)
• Renovate is not used
• SBOMs are generated on every release and attached to the GitHub release

We thank the security researchers and contributors who report vulnerabilities responsibly.