Responsible Disclosure

Reporting a Vulnerability

Please do not open a public GitHub issue for suspected security problems.

Use GitHub's private vulnerability reporting feature to report the issue confidentially.

You can expect:

• An acknowledgement within 72 hours
• A coordinated disclosure timeline — typically 30–90 days depending on severity and complexity
• A patch, advisory, and credit upon resolution (unless you request anonymity)

What to Include in Your Report

To help us reproduce and assess the issue quickly, please provide:

• A clear description of the vulnerability and its potential impact
• Minimal reproduction steps or a proof-of-concept
• The Weavestream version (WEAVESTREAM_VERSION from your .env) and deployment shape (Docker Compose, Kubernetes, etc.)
• Any suggested mitigations if you have them

Scope

In scope

• Code in this repository (apps/, packages/, docker/, scripts/)
• Published container images at ghcr.io/weavestream/weavestream-*
• The default compose.yml deployment topology

Out of scope

• Vulnerabilities in third-party dependencies already tracked upstream — please report those to the upstream project
• Social engineering, physical attacks, or denial-of-service by resource exhaustion against your own instance
• Issues that require prior compromise of the host or database
• Findings from automated scanners without a verified proof-of-concept

Supported Versions

Security fixes ship on the latest minor release line:

We recommend pinning WEAVESTREAM_VERSION to a specific patch release and following the changelog for upgrade notes.

Thank You

Security research is valuable work. We appreciate researchers who take the time to report issues responsibly and work with us through the disclosure process. All eligible reporters receive credit in the security advisory unless they request otherwise.