As of present, we recommend using the current version / latest release. We currently lack the bandwidth to support multiple versions.
- If a vulnerability with one of our dependencies, design patterns, etc is known and obvious to the larger community, a normal issue should be submitted under the issues tab. Additionally, any security vulnerability where the risk to the community of publishing the vulnerability is otherwise minimal, we recommend also creating an issue on the issues tab. Given that this is a back - end component of most systems that use it, this will be the case with most detected vulnerabilities.
- If a vulnerability poses a high risk to the community if the vulnerability is disclosed, please do not discuss it in a public forum such as the issues tab. Please instead, send an email to
[email protected]
, flag the email as high priority, and in the subject line includeCerebros Community Edition security vulnerability
. We will evaluate it and provide appropriate feedback. - In all cases, a security vulnerability, as soon as it is known, will be accessioned and triaged according to severity at earliest opprtunity, and to the extent realistic, will be prioritized for prompt resolution.
- All changes made to cure or mitigate a security vulnerability will be subject to the same CICD testing and process as any other proposed change, however with the exception, that any member of the Cerebros Enterprise team having a career progression status of l6 or higher may merge in the patch, without prior approval from another l5+. If a merge was made without such approval, the changes shall be reviewed retroactively as soon as possible, and within no more than 3 business days. Changes are subject to being reverted if not approved.