| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
Do not open a public issue for security vulnerabilities.
Instead, please email security@quavil.com with:
- A description of the vulnerability
- Steps to reproduce or a proof-of-concept
- The affected version(s)
- Any potential impact assessment
You should receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix and disclosure timeline.
- Acknowledgment within 48 hours of your report.
- Assessment — we will confirm the issue, determine severity, and identify affected versions.
- Fix — a patch will be developed and tested privately.
- Release — a new version will be published with the fix.
- Disclosure — a security advisory will be published on GitHub after the fix is available.
We aim to resolve critical vulnerabilities within 7 days of confirmation.
The following are in scope:
- The
qvlbinary and all workspace crates - The install script (
get.quavil.com) - Token storage and credential handling
- The self-update mechanism and binary verification
Implementation references:
docs/self-update.mddocs/authentication.md
The following are out of scope:
- Third-party LLM provider APIs
- Issues in upstream dependencies (report those to the upstream project)
- Social engineering attacks
We are happy to credit reporters in the security advisory unless you prefer to remain anonymous. Let us know your preference when reporting.