Please report security vulnerabilities privately to security@secretenv.io. Do not open public GitHub issues for security vulnerabilities.
We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days. Researchers who follow responsible disclosure will be credited in release notes.
secretenv is a workflow product that eliminates a class of workflow-driven security failures. It is not a cryptographic or access-control product. For the full scope (including what we protect against, what we explicitly do not, and how the threat model compares to adjacent tools), see docs/security.md.
Security patches are provided for the latest minor release. Older minor versions are not patched; upgrade to the current release for fixes.