| Version | Supported |
|---|---|
| 0.6.x | ✅ |
| < 0.6 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it's fixed
- Email the maintainers directly (or open a private security advisory on GitHub)
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Resolution Timeline: Depends on severity
- Critical: ASAP (target: 1-2 weeks)
- High: 2-4 weeks
- Medium/Low: Next release cycle
- We will notify you when the fix is released
- We will credit you in the release notes (unless you prefer to remain anonymous)
When using Operonx in production:
-
API Keys: Never commit API keys to version control
- Use environment variables or secrets management
- See
env.examplefor the template
-
Dependencies: Keep dependencies updated
- Run
uv syncregularly - Review security advisories
- Run
-
Observability: Be mindful of what you log
- Langfuse traces may contain sensitive data
- Configure trace retention appropriately
This security policy applies to:
- The
operonxPython package on PyPI (and all its extras:[standard],[anthropic],[onnx], etc.) - The
operonxandoperonx-macrosRust crates on crates.io
Third-party provider SDKs (OpenAI, Anthropic, etc.) have their own security policies — vulnerabilities specific to those SDKs should be reported upstream.