Metacat follows an accelerated end-of-life policy. Due to limited
maintenance funding, we support only the current release: the latest
tagged release, which is also the HEAD of the main branch. Older
releases do not receive backported security fixes or ongoing support.
- Only the most recent product release is supported for security fixes.
- Security fixes are not backported to older releases.
- Users should upgrade to the latest release to receive security updates.
| Version | Supported |
|---|---|
Latest release (tip of main branch) |
✅ |
| All previous releases | ❌ |
This policy aligns with the project release workflow documented in CONTRIBUTING.md, where the main branch tip reflects the most recent release.
Please do not report security vulnerabilities in public GitHub issues or pull requests.
Instead, use GitHub's private vulnerability reporting workflow:
- Go to the Metacat Security Advisories page.
- Click Report a vulnerability.
- Provide details to help us reproduce and assess the issue:
- affected version(s)
- deployment context and configuration
- impact description
- clear reproduction steps or proof of concept
- suggested remediation (if available)
Direct link (while logged in to GitHub):
If you are unable to use GitHub private reporting, contact the maintainers at:
Use a subject line starting with SECURITY: and include the same details listed above.
We aim to follow these targets (best effort):
- Initial acknowledgment: within 3 business days
- Triage decision (validity/severity/scope): within 10 business days
- Ongoing status updates: at least every 10 business days while actively investigating
If a report is accepted, maintainers will:
- validate and prioritize the issue
- develop and test a fix in the normal release workflow
- publish a fix in the next available release
- publish a security advisory when appropriate
Because only the newest release is supported, accepted fixes are released only in the latest product release.
Please allow maintainers a reasonable amount of time to investigate, patch, and publish guidance before public disclosure.
The project will coordinate disclosure timing with reporters whenever possible. After a fix is available, maintainers may publish details through a GitHub Security Advisory and release notes.
To reduce risk:
- run the latest Metacat release
- subscribe to repository release notifications
- monitor published release notes and security advisories
For release details, see README.md and RELEASE-NOTES.md.
This policy applies to vulnerabilities in source code and officially maintained release artifacts in this repository.
Out-of-scope examples may include:
- vulnerabilities only affecting unsupported versions
- issues requiring unrealistic attack preconditions
- reports consisting only of automated scanner output without a reproducible impact
Even if an issue is out of scope for a formal security response, maintainers may still accept quality bug reports through normal channels.