MIRROR: javascript for 🐜's, a tiny runtime with big ambitions
1# Security Policy
2
3## Supported Versions
4
5| Version | Supported |
6| -------- | --------- |
7| latest | ✅ |
8| pre v0.5 | ❌ |
9
10## Reporting a Vulnerability
11
12If you discover a security vulnerability in Ant, please report it responsibly:
13
141. **Do not** open a public GitHub issue
152. Email security concerns to: **themackabu@gmail.com**
163. Include:
17 - Description of the vulnerability
18 - Steps to reproduce
19 - Potential impact
20 - Any suggested fixes (optional)
21
22## Response Timeline
23
24- **Acknowledgment**: Within 12 hours
25- **Initial assessment**: Within 2 days
26- **Fix timeline**: Depends on severity (critical issues prioritized)
27
28## Security Considerations
29
30Ant is a JavaScript runtime with system-level access. When using Ant:
31
32- **FFI**: The `ant:ffi` module provides direct memory access. Only load trusted native libraries.
33- **Shell execution**: The `ant:shell` module executes system commands. Sanitize all user input.
34- **URL imports**: Remote module imports execute code from external sources. Only import from trusted origins.
35- **File system**: The `ant:fs` module has full filesystem access. Validate paths carefully.
36
37## Disclosure Policy
38
39Once a vulnerability is fixed, we will:
40
411. Release a patched version
422. Credit the reporter (if desired)
433. Publish a security advisory on GitHub