| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Do NOT open a public GitHub issue for security vulnerabilities.
Please report security vulnerabilities via email to security@szlholdings.ai with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested mitigations
| Severity | Initial Response | Resolution Target |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 30 days |
| Medium | 5 business days | 90 days |
| Low | 10 business days | 180 days |
We follow a 90-day responsible disclosure policy. After 90 days from initial report, details may be published regardless of patch status (with appropriate notice to reporter).
- SLSA Build Level 1 — build provenance generated per release (honest; not L2/L3)
- DCO required — all commits carry
Signed-off-by:trailers per Linux Foundation DCO - Cosign keyless signing — containers signed via Sigstore OIDC keyless mode; verify with
cosign verify ghcr.io/szl-holdings/<repo>:<tag> - SBOM — CycloneDX SBOM attached to each GitHub Release
SZL Holdings attests that no covered telecommunications equipment or services from the following vendors are used in this software:
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
Per NDAA Section 889, 41 U.S.C. § 4713.
- Doctrine v11 LOCKED — kernel commit
c7c0ba17(749 declarations / 14 axioms / 163 sorries) - Λ = Conjecture 1 (never a theorem)
- No Iron Bank, FedRAMP, CMMC, or SWFT claims
- Security disclosures: security@szlholdings.ai
- General: hello@szlholdings.ai
- Website: https://szlholdings.ai
This policy follows OpenSSF Vulnerability Disclosure Guide.