Only the latest patch release of each minor version receives security updates.

Please report security vulnerabilities by emailing security <at> praxis <dot> fast. Do not open a public issue.

Include:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Any potential mitigations you have identified

Prior to v1.0.0 we will work with researchers individually on timelines. After v1.0.0 we will have a standardized response timeline.

We use the following severity levels:

• Critical: Remote code execution, authentication bypass, or data exfiltration without user interaction
• High: Denial of service with amplification, privilege escalation, or significant data exposure
• Medium: Denial of service requiring sustained effort, information disclosure of limited scope
• Low: Issues requiring unlikely configurations or minimal impact

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who follow this policy and report findings responsibly. In fact, we really appreciate the help in making Praxis more secure, thank you for your efforts!