The project has not yet cut a versioned release. Security fixes are applied directly on main against the current development snapshot.
| Version | Supported |
|---|---|
| 0.1.0-SNAPSHOT (development, unreleased) | Security fixes applied on main |
Note: once the first SemVer release is cut, this table will be updated to list the supported release line(s).
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub's built-in private vulnerability reporting mechanism:
https://github.com/bernardladenthin/srcmorph/security/advisories/new
This creates a private advisory that only the maintainers can see.
If GitHub Private Vulnerability Reporting is unavailable, contact the maintainer directly:
- Bernard Ladenthin — bernard.ladenthin@gmail.com
This address is the same maintainer contact published in CODE_OF_CONDUCT.md.
We aim to:
- Acknowledge vulnerability reports within 14 days of receipt.
- Provide a remediation timeline within 30 days of acknowledgement.
This project follows coordinated disclosure with a 90-day embargo by default:
- The reporter submits the vulnerability privately (see above).
- The maintainer acknowledges receipt and investigates.
- A fix is developed and tested privately.
- A patched release is published.
- A public security advisory is created after the fix is released.
Please do not disclose the vulnerability publicly until a fix has been released or until you and the maintainer have agreed on a disclosure date. If 90 days elapse without a remediation plan, the reporter may publish at their discretion after notifying the maintainer.
In scope:
- Plugin source under
src/main/java/net/ladenthin/maven/llamacpp/aiindex/**. - Plugin Maven configuration (
pom.xml) and CI workflow definitions in.github/workflows/**.
Out of scope (report upstream):
- Vulnerabilities in the bundled
net.ladenthin:llamaJNI binding — report at https://github.com/bernardladenthin/java-llama.cpp. - Vulnerabilities in upstream
ggml-org/llama.cpp— report at https://github.com/ggml-org/llama.cpp. - Vulnerabilities in third-party Maven plugins or transitive dependencies — report to their respective maintainers; we will track and bump versions once an upstream fix lands.
Security fixes are published through:
- GitHub Security Advisories on this repository (subscribe via the Watch → Custom → Security alerts setting).
- The CHANGELOG.md
### Securityentry for the affected release. - The GitHub Releases page, which is the canonical announcement channel.