bunWay follows semantic versioning. All currently published versions under 0.x receive security updates on a best-effort basis.

Please email [email protected] with the subject line SECURITY: <short summary>.

Include as much detail as possible:

• A description of the issue and potential impact
• Steps to reproduce or proof of concept
• bunWay version, Bun version, and platform information

We aim to acknowledge reports within 72 hours. If the issue is confirmed, we will coordinate a fix and release timeline with you. Please do not disclose vulnerabilities publicly until a fix has been released.

Thank you for helping keep bunWay users safe.