| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Only the latest release is supported with security updates. We recommend always using the most recent version.
If you discover a security vulnerability in Plumber, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please use one of the following methods:
- GitHub Security Advisories: Use GitHub's private vulnerability reporting to submit a report directly.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity, but we aim for:
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release
We follow coordinated vulnerability disclosure. We will work with you to understand and address the issue before any public disclosure.
Plumber itself is a CI/CD compliance scanner. We practice what we preach:
- All GitHub Actions are pinned by SHA commit hash
- Workflow permissions follow the principle of least privilege
- Release artifacts include SLSA Level 3 provenance attestations
- Dependencies are monitored with Dependabot
- Code is analyzed with CodeQL (SAST)
- Container images are scanned with Grype