We release patches for security vulnerabilities. Currently supported versions:

Please DO NOT file public GitHub issues for security vulnerabilities.

We take security seriously at Pantheon Security. If you discover a security vulnerability in MEDUSA, please report it to us privately.

Email: security@pantheonsecurity.io

PGP Key: Coming soon

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any suggested fixes (optional)
• Your name/handle for acknowledgment (optional)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-30 days
  • Medium: 30-90 days
  • Low: Best effort

• We request that you give us reasonable time to fix the issue before public disclosure
• We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
• We may provide a CVE if the issue warrants one

To receive security updates:

1. Watch this repository on GitHub (Releases only)
2. Subscribe to our security mailing list (coming soon)
3. Follow @PantheonSec on Twitter

MEDUSA scans code for security issues but does not:

• Execute code from scanned projects
• Send data to external servers (all scanning is local)
• Require network access (except for tool installation)

• MEDUSA relies on external security tools (listed in tool-versions.lock)
• We cannot guarantee 100% accuracy (false positives/negatives may occur)
• Tool versions are pinned for reproducibility but may lag behind latest versions

When using MEDUSA:

1. Keep MEDUSA updated to the latest version
2. Review scan results - don't blindly trust all findings
3. Use pinned tool versions for production CI/CD
4. Report false positives to help us improve

We currently do not offer a bug bounty program but deeply appreciate responsible disclosure.

Last Updated: 2025-11-27
Contact: security@pantheonsecurity.io