| Version | Supported |
|---|---|
| 0.4.x | Yes |
| < 0.4 | No |
If you discover a security vulnerability in Duragent, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead:
- Email the maintainer directly or use GitHub's private vulnerability reporting
- Include a description of the vulnerability, steps to reproduce, and any potential impact
- Allow reasonable time for a fix before public disclosure
- Acknowledgment within 48 hours of your report
- Status update within 7 days with an assessment and expected timeline
- Fix and disclosure coordinated with you before public announcement
This policy applies to the Duragent core runtime and first-party plugins (e.g. duragent-gateway-discord, duragent-gateway-telegram). Third-party plugins are the responsibility of their respective maintainers.
We follow coordinated disclosure. Once a fix is available, we will:
- Release a patched version
- Publish a security advisory on GitHub
- Credit the reporter (unless they prefer anonymity)