Security¶
We use GitHub Private Vulnerability Reporting for security disclosures.
To report a vulnerability: open a private advisory. GitHub will deliver it directly and privately to the maintainers — no public issue or email needed.
Supported versions¶
| Version | Supported |
|---|---|
| Latest stable | yes |
| Anything older | no |
Scope¶
Bugs that put data, credentials, or workspace state at risk are in scope. Out of scope: bugs in third-party SDKs we depend on (file those upstream), denial-of-service against the Fabric API (file with Microsoft).