Security
Security advisories
Public record of every security issue we've had to fix in Sloth Lee. We list them here even when we caught and fixed the issue ourselves, so the disclosure history is honest and complete.
No advisories yet.
We haven't had to publish a security advisory. That's not a guarantee one will never happen — it means none have happened, or none of the issues we've internally caught reached a severity that warranted public disclosure.
When the first one ships it will be listed here with: the issue summary, the affected versions, the fixed-in version, the timeline of disclosure, and (with their permission) a credit to the reporter.
Found something? See how to report — or hit the security.txt for the contact details.
Disclosure policy
- Acknowledgement within 48 hours of report receipt.
- Triage within 5 business days; reporter kept in the loop.
- Coordinated disclosure— we don't publish until a fix has shipped and customers have had time to adopt it. Standard window is 90 days from report; shorter for critical issues with clear remediation, longer if the fix is genuinely complex.
- Creditwith reporter permission. We don't silently fix.
- No legal action against good-faith researchers who follow this policy. See our security page for the safe harbour wording.