| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing michaelallenkuykendall@gmail.com with:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested mitigations
- Response time: Within 48 hours for initial acknowledgment
- Updates: Regular updates on investigation progress
- Resolution: Security patches released as priority updates
- Credit: Public recognition for responsible disclosure (if desired)
Shimmy is designed with security in mind:
- Local only: No external network calls by design
- Minimal attack surface: Small binary, limited functionality
- Memory safety: Written in Rust
- No persistent state: Stateless operation by default
This security policy covers:
- The core Shimmy binary
- Official extensions and integrations
- Build and distribution infrastructure
Out of scope:
- Third-party models or model files
- User configurations or custom modifications
- Issues in dependencies (report to respective maintainers)
When using Shimmy:
- Network exposure: Only bind to localhost unless necessary
- Model sources: Only use trusted model files
- File permissions: Ensure proper file system permissions
- Updates: Keep Shimmy updated to the latest version
- Day 0: Vulnerability reported privately
- Day 1-2: Initial assessment and acknowledgment
- Day 3-14: Investigation and patch development
- Day 15: Patch released and public disclosure
- Day 16+: Post-disclosure monitoring
Thank you for helping keep Shimmy and the community safe!