Skip to content

Security Policy

Supported Versions

Version Supported
2026.x ✅
< 2026 ❌

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in Lacuna, please report it responsibly.

How to Report

  1. Do not open a public GitHub issue for security vulnerabilities
  2. Use GitHub's private vulnerability reporting
  3. Include as much detail as possible:
  4. Description of the vulnerability
  5. Steps to reproduce
  6. Potential impact
  7. Suggested fix (if any)

What to Expect

  • Acknowledgment: We aim to acknowledge receipt within 7 days
  • Initial Assessment: Within 30 days, we will provide an initial assessment
  • Resolution Timeline: We aim to resolve critical vulnerabilities within 90 days
  • Disclosure: We will coordinate with you on public disclosure timing

Security Measures

This project implements the following security practices:

  • Dependency Scanning: Dependabot monitors for vulnerable dependencies
  • License Compliance: FOSSA scans for license policy violations
  • Static Analysis: Bandit scans for common security issues in Python code
  • Code Quality: Ruff, mypy, and other linters catch potential issues

Security Best Practices for Users

When deploying Lacuna:

  1. Keep dependencies up to date
  2. Use environment variables for sensitive configuration
  3. Run with least-privilege permissions
  4. Enable audit logging in production
  5. Review and customize policies for your environment