| Version | Supported |
|---|---|
| latest | Yes |
| < latest | No (upgrade to latest) |
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, use GitHub Security Advisories to report vulnerabilities privately.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix and disclosure: Coordinated with reporter, typically within 30 days
This policy covers the claude-rs binary and its direct dependencies. Vulnerabilities
in the upstream Agent SDK (@anthropic-ai/claude-agent-sdk) or Claude API should be
reported to their respective maintainers.
- Dependencies are audited weekly via
cargo audit(scheduled GitHub Actions workflow, every Monday) - Dependency updates are managed via Dependabot
- All PRs require CI checks (test, clippy, fmt, MSRV, lockfile)