Security and bug fixes are provided for the current major version of Hatchet. We recommend keeping up to date with the latest releases. Depending on the scope of the changes, fixes can either be part of the next minor version or as an on-demand patch version.

Production vulnerabilities triaged as HIGH to CRITICAL are given priority and might be enough to cause a new version to be immediately released.

We encourage responsible disclosure of security vulnerabilities. If you have found or suspect a vulnerability in Hatchet, please use the "Report a vulnerability" button under the Security tab. This opens a private channel directly with the maintainers.

If you are unable to use GitHub's vulnerability reporting workflow, you can reach us at security@hatchet.run.

Please note that we do not operate a bug bounty program, but we genuinely appreciate any reports that help us build a more secure project.

This policy applies to the open-source repositories under the hatchet-dev organization on GitHub.

For security concerns related to the hosted service at cloud.onhatchet.run, please contact security@hatchet.run directly.