| Version | Support status |
|---|---|
| v7.1.x | Fully supported — all security fixes |
| v7.0.x | Security fixes only |
| < v7.0 | Unsupported — please upgrade |
Do not open a public GitHub issue for security vulnerabilities.
Email the security team at security@ruptura.dev with:
- A description of the vulnerability and its potential impact
- Steps to reproduce (proof-of-concept if possible)
- Affected versions
- Any suggested mitigations
| Milestone | Target |
|---|---|
| Acknowledgement | 48 hours |
| Triage and severity assessment | 5 business days |
| Fix for Critical / High severity | 14 days |
| Fix for Medium / Low severity | 90 days |
We will keep you informed of progress throughout the process.
Ruptura follows a coordinated disclosure model:
- You report the vulnerability to security@ruptura.dev.
- We confirm receipt within 48 hours and begin triage.
- We develop and test a fix privately.
- We request a CVE identifier via GitHub Security Advisories once the fix is ready.
- We release the patched version and publish the GitHub Security Advisory.
- Embargo period: We ask reporters to hold public disclosure for 7 days after the patched release ships, to give users time to upgrade.
If you need to disclose sooner for any reason, please discuss with us so we can coordinate.
We use GitHub Security Advisories to track and disclose security issues. Once a fix is released, the advisory is published with full details, affected versions, and CVE reference.
Ruptura will request CVE identifiers through the GitHub Security Advisory process for any confirmed vulnerability with a CVSS score of Medium or higher (CVSS >= 4.0).
The following are in scope:
- The Ruptura engine binary (
workdir/) - The Helm chart (
helm/) - The Ruptura operator (
operator/) - The Svelte dashboard (
ui/) - The
ruptura-ctlCLI
Out of scope: third-party dependencies (report those to their respective projects), the public demo instance, and issues requiring physical access.
Maintainer: Selim Benfradj — @benfradjselim