Skip to content

Security: bogware/morass

Security

SECURITY.md

Security Policy

Supported versions

Security fixes target the latest released version and the main branch.

Version Supported
latest release / main
older releases

Reporting a vulnerability

Please do not open a public issue for security problems.

Report privately through GitHub's built-in flow:

  1. Go to the repository's Security tab → Report a vulnerability, or open https://github.com/bogware/morass/security/advisories/new.
  2. Include the affected version/commit, a description, and a minimal reproduction if you have one.

If private reporting is unavailable to you, open a regular issue containing only "I'd like to report a security issue privately, please advise a channel" — without any details — and a maintainer will follow up.

We aim to acknowledge reports within a few days and to ship a fix or mitigation as quickly as the severity warrants. Coordinated disclosure is appreciated: please give us a reasonable window before any public write-up.

Scope

Morass is an audio plugin with no network functionality. The most relevant issue classes are:

  • memory-safety bugs reachable from crafted plugin state or preset (.morass) files,
  • crashes a host could trigger through normal plugin APIs, and
  • problems in the build / CI / release supply chain.

Reports in those areas are especially welcome.

There aren't any published security advisories