We currently support the latest stable release with security updates. Older versions may receive patches on a case-by-case basis.
| Version | Supported |
|---|---|
| latest | ✅ Supported |
| < latest |
We take the security of Xavier seriously. If you discover a security vulnerability, please report it privately.
Do not report security vulnerabilities through public GitHub issues.
- Email: Send details to security@swal.ai
- PGP Key: (TBD — encrypted reports coming soon)
- Response Timeline: We aim to acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
- A clear description of the vulnerability
- Steps to reproduce (proof of concept preferred)
- Affected versions
- Any potential impact or exploit scenarios
- Your contact information for follow-up
We follow a coordinated disclosure process:
- We investigate and confirm the issue
- We develop and test a fix
- We release a security advisory and update
- We grant you credit for the discovery (unless you prefer anonymity)
We aim to release fixes within 14 days of confirmation, depending on severity.
This policy covers:
- The Xavier context engine (Rust binary)
- REST API endpoints
- Authentication and authorization mechanisms
- Data storage and encryption
We maintain a Security Hall of Fame for researchers who responsibly disclose vulnerabilities. If you'd like to be credited, let us know when you report.
Last updated: 2026-05-06