Security Policy¶

Supported versions¶

Security fixes are back-ported to the latest stable minor release only. Pre-stable releases (0.x) receive best-effort patches at maintainer discretion.

Reporting a vulnerability¶

Do not open a public GitHub/Gitea issue for security vulnerabilities.

1. Email: Send a report to write@nennemann.de.
2. Subject line: [SECURITY] <short description>
3. Include:
4. Affected component (e.g., trails-identity, trails-policy, trails-ffi, Python trails.security)
5. Steps to reproduce or proof-of-concept (redacted if needed)
6. Impact assessment (what can an attacker do?)
7. Suggested fix, if you have one
8. PGP: If you need encrypted communication, request the maintainer's public key in your initial email.

Response timeline¶

We follow coordinated disclosure. If you do not hear back within 5 days, please re-send or reach out via the project's public channels with a generic "I sent a security report" message (no details).

Security contact¶

• Primary: Project maintainer (Christian Nennemann)
• Email: write@nennemann.de
• Backup: Open a private advisory on the Gitea/GitHub repository if email is unresponsive.

Scope¶

The following components are in scope for security reports:

• Rust kernel (trails-core, trails-graph, trails-ffi, trails-shapes, trails-prov, trails-caps, trails-policy, trails-identity, trails-cost)
• Python surface (trails.* packages)
• PyO3 FFI boundary (panic propagation, type confusion, memory safety)
• MCP transport (JSON-RPC validation, SSE)
• HTTP adapter (FastAPI integration)
• Build and supply chain (deny.toml, CI pipelines, wheel builds)

Out of scope: example applications, documentation typos, feature requests disguised as security issues.

Acknowledgements¶

We maintain a SECURITY-ACKNOWLEDGEMENTS.md for reporters who wish to be credited. Opt-in only.