MDK is in the 0.y.z initial-development range; the public API is not considered stable until 1.0.0.
Security fixes are handled on a best-effort basis for the latest commit on main. Tagged releases and older commits may not receive security fixes.
Please do not open public GitHub issues for security vulnerabilities.
Instead, report security issues privately via:
- GitHub Security Advisories: Report a vulnerability
Include as much detail as possible:
- Affected component(s) and version/commit
- Steps to reproduce
- Impact assessment
- Any proof-of-concept or logs (if safe to share)
- Suggested mitigation, if known
After receiving a report, maintainers aim to:
- Acknowledge receipt within 3 business days.
- Confirm whether the issue is valid and in scope.
- Prepare and release a fix as quickly as possible.
- Coordinate disclosure timing with the reporter when appropriate.
Security issues in first-party code under this repository are in scope.
Reports that depend exclusively on unsupported runtimes, modified third-party deployments, or issues already fixed on main may be considered out of scope.