Do not open a public issue for security vulnerabilities.
Email security@rafter.so with:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your name/handle for credit (optional)
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
| Version | Supported |
|---|---|
| 0.6.x | Yes |
| < 0.6 | No |
This policy covers the rafter-cli npm package, rafter-cli PyPI package, the VS Code extension, and the GitHub Action. It does not cover the Rafter cloud API (report separately at security@rafter.so).
We follow coordinated disclosure. We'll work with you on a timeline and credit you in the advisory unless you prefer anonymity.