The SerialPilot maintainers take security seriously. Thank you for helping keep the community safe.
| Version | Supported |
|---|---|
Latest major (1.x) |
✅ |
| Older majors | ❌ — please upgrade |
The Rust crate (serialpilot-rust) is supported on the latest published 0.x / 1.x line.
Please do not file public GitHub issues for security vulnerabilities.
You have two private channels:
- GitHub Security Advisories (preferred) — open a private advisory on the affected repo: https://github.com/serialpilot/serialpilot/security/advisories/new
- Email — contact@riteshrana.engineer. Please include:
- The affected package(s) and version(s)
- A description of the issue and its impact
- Steps to reproduce, or a proof-of-concept
- Any suggested mitigation
| Phase | Target |
|---|---|
| First response from a maintainer | Within 7 days |
| Triage and severity assessment | Within 14 days |
| Patch + coordinated disclosure for high/critical issues | Typically 30 days, faster for actively-exploited bugs |
We will keep you in the loop throughout, credit you in the advisory (unless you prefer otherwise), and coordinate a release date that gives downstream users time to upgrade.
- Bugs in third-party dependencies — please report those upstream. We'll bump our pinned version once a fix lands.
- Denial-of-service that requires already having unrestricted serial-port access on the host (we treat the local serial port as a trust boundary).
- Issues only reproducible on end-of-life Node.js (anything below the current LTS).