Security fixes are handled for the latest public release and the active development branch.
Older builds should be upgraded before reporting a defect unless the issue is needed for compatibility testing.
Do not open a public issue for suspected security vulnerabilities.
Send vulnerability reports to security@noirlang.tr.
Include only the information needed to reproduce the issue:
- affected version or commit
- operating system and architecture
- affected flow, such as local disk, remote agent, RAM, Android, update, or report generation
- reproduction steps
- expected result and actual result
- relevant logs with sensitive data removed
Never attach real case data, disk images, memory dumps, Android exports, access tokens, IP addresses, passwords, or private logs to a public issue or pull request.
Use synthetic test images, redacted logs, or a minimal reproduction whenever possible.
Security reports should focus on issues that could affect evidence integrity, privilege handling, update safety, agent communication, file output paths, or exposure of sensitive data.