# Security Policy

## Supported versions

Only the latest released version of `sem_cython12` receives security
fixes.  The current supported line is `1.0.x`.

| Version | Supported |
|---------|-----------|
| 1.0.x   | yes       |
| < 1.0   | no        |

## Reporting a vulnerability

Please report suspected security vulnerabilities **privately**, not on
the public issue tracker.

Email: **info@sevana.biz**

Include in your report:

- a description of the issue and its potential impact,
- the affected version(s) of `sem_cython12`,
- platform details (OS, architecture, Python version),
- a minimal reproducer if possible,
- whether the issue is already publicly known.

## What to expect

- **Acknowledgement** within **5 business days** of receipt.
- **Initial assessment** (severity, scope, reproducibility) within 15
  business days.
- **Coordinated disclosure**: we will work with you on a disclosure
  timeline.  We aim to release a fix or mitigation before public
  disclosure.  Default embargo is up to 90 days from acknowledgement,
  extendable by mutual agreement for non-trivial fixes.
- **Credit**: with your permission, we will credit you in the
  `CHANGELOG.md` entry for the fix.

## Out of scope

- Issues that require an attacker to already control the Python
  process running `sem_cython12` (e.g. arbitrary pickle loading,
  malicious NumPy arrays constructed in-process).
- Denial-of-service via deliberately huge input arrays.
- Vulnerabilities in third-party dependencies (NumPy, OpenMP runtime)
  that are not specific to `sem_cython12`'s use of them; please report
  those upstream.

## No bug bounty

`sem_cython12` does not currently operate a paid bug bounty programme.
Reports are appreciated and will be acknowledged in writing.