Prerelease security boundary

Public vulnerability intake is not operational yet.

This is a GA blocker, not fine print. No Strust build should be represented as generally available until a protected reporting channel is published, routed, and tested. Existing design partners must use the security contact in their signed agreement.

Until intake is live

Preserve the report. Share nothing sensitive in public.

01

Do not put secrets, private fixtures, customer source, or exploit details in a public issue.

02

Do not send vulnerability material to an address that has not been confirmed through a signed agreement or protected Strust response.

03

Run local target code only when it is trusted; a copied workspace is evidence isolation, not a hostile-code sandbox.

04

Treat receipts, findings, reports, and bundles according to the classification of the source data they contain.

Supported versions

No GA version is supported yet. A promoted release must name its supported version and lifecycle evidence on the download page.

Response target

After a protected report is received: acknowledge a suspected critical issue within one business day and begin triage within three business days. Agreements may be stricter.

Credential handling

Keep credentials out of contracts and evidence. Prefer network-off execution with no ambient secrets and inspect every redacted projection before transfer.

Non-sensitive first contact

The general address can be used only to draft a non-sensitive request for a protected reporting path. Its domain mail routing has not yet been published and tested, so it is not vulnerability intake and must not be relied on for urgent reporting. Do not include vulnerability details, source, fixtures, credentials, or customer evidence.