What's in Scope
- Compiler correctness: privacy type enforcement bypass, effect system bypass
- Code generation: generated assembly that violates type safety
- Runtime safety: buffer overflows, memory corruption in compiled programs
- Privacy type system: any path that leaks Sensitive data without
expose() - Bootstrap chain: tampering or integrity issues
What's Not in Scope
- Feature requests — use GitHub Issues
- Non-security bugs — use GitHub Issues
- Social engineering
Response Timeline
This is a solo developer project. Honest timelines:
- Acknowledgment: within 72 hours
- Assessment: within 1 week
- Fix for critical issues: within 2 weeks
Credit
Security researchers who report valid vulnerabilities will be credited in the release notes, unless they prefer anonymity.