Grob is pre-1.0. There are no supported versions yet. Once 1.0 ships, the most recent major version will receive security fixes; older major versions will not.

Use GitHub Security Advisories to report a vulnerability: navigate to the Security tab of this repository and click "Report a vulnerability".

Do not file a public issue for security vulnerabilities.

We aim to acknowledge reports within 7 days. Fix timelines depend on severity.

In scope: the Grob compiler, runtime, VM and standard library as shipped from this repository.

Out of scope: third-party plugins, scripts written in Grob (those are the script author's responsibility) and any deployment of Grob in a specific environment.

We will coordinate disclosure timing with the reporter. Credit will be given in the security advisory unless the reporter prefers anonymity.