Only released versions of Arbiter receive security fixes. The table below describes the level of support you can expect for each release line.
| Version | Supported | Security Fixes |
|---|---|---|
| 0.7.x | ✅ | Active fixes |
| 0.6.x | ✅ | Critical only |
| < 0.6 | ❌ | No fixes |
"Critical only" means fixes are limited to high-severity issues (e.g. remote code execution, data exposure) and do not include lower-severity hardening. Unsupported versions should upgrade to a supported release to receive fixes.
If you discover a security issue in Arbiter, report it via the org security contact:
- Primary:
security@hummbl.io(org security contact, monitored by the HUMMBL team) - Fallback:
reuben@hummbl.io(maintainer, if org contact is unreachable)
Include:
- affected version or commit
- reproduction steps
- expected and observed behavior
- potential impact
Do not open public GitHub issues for suspected vulnerabilities.
This policy covers the code and release artifacts in this repository.
We aim to acknowledge and remediate security reports according to the following targets. These are best-effort commitments, not guarantees, and may vary with report volume and severity.
| Stage | Target |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Initial assessment & severity rating | Within 5 business days |
| Remediation (Critical) | Patch or mitigation within 7 days of confirmation |
| Remediation (High) | Patch or mitigation within 30 days of confirmation |
| Remediation (Medium/Low) | Addressed in the next scheduled release |
You will receive status updates at each stage. If a fix requires coordinated disclosure, we will work with you to agree on a publication timeline.