# Security Policy

## Reporting a Vulnerability

If there are any vulnerabilities in **RootAsRole**, don't hesitate to _report them_.

1. Send mail at <mailto:eddie.billoir@irit.fr>.
2. Describe the vulnerability.

   If you have a fix, that is most welcome -- please attach or summarize it in your message!

3. We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.

   Please **do not disclose the vulnerability publicly** until a fix is released!

4. Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it.

## Supported Versions

For now, RootAsRole is not distributed widely on repositories because the software is not meant to be production-ready. The objective of 3.0.0 stable version is to be available on linux distributions repositories. So we'll only consider security issues when the software is broadly distributed.

| Version | Supported          |
| ------- | ------------------ |
| >=3.0.0 | :white_check_mark: |
| < 3.0.0 | :x:                |