Do not report security vulnerabilities through public GitHub issues.
Instead, please report them privately to:
Email: security@latticeruntime.com
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to understand and address the issue.
This security policy covers the Lattice Runtime enforcement layer, including:
- Identity and authorization evaluation
- Policy decision engine
- Audit event generation
- Agent execution primitives
Issues that could compromise:
- Authorization bypass - actions executed without proper authorization
- Audit evasion - actions that don't generate audit events
- Identity spoofing - ability to impersonate another principal
- Policy circumvention - bypassing declared constraints
- Privilege escalation - gaining unauthorized access or permissions
- Feature requests - use GitHub Discussions
- Configuration errors - see documentation
- Enterprise features - contact enterprise support
- Denial of service in test/development environments
Lattice Runtime is built on these security principles:
Violations are prevented structurally, not by application discipline. The runtime blocks unauthorized actions before they execute.
Every enforcement decision generates an immutable audit event. Actions without audit trails are rejected.
The default is deny. Permissions must be explicitly granted.
Agents run with the minimum permissions required for their declared function.
Multiple layers of enforcement protect against bypass attempts.
We follow coordinated disclosure:
- Report received - we acknowledge within 48 hours
- Investigation - we validate and assess severity
- Fix developed - we create and test a patch
- Coordinated release - we work with you on timing
- Public disclosure - after fix is deployed
We aim to resolve critical issues within 30 days.
Security patches are released as:
- Patch releases for the current stable version
- Backports for the previous major version (if applicable)
- Security advisories published on GitHub
| Version | Supported |
|---|---|
| 2.x | β Active support |
| 1.x | |
| < 1.0 | β Not supported |
We recognize security researchers who responsibly disclose vulnerabilities:
- Public acknowledgment (with permission)
- Credit in release notes and security advisory
- Swag for significant findings (optional)
Thank you for helping keep Lattice Runtime secure.
- Security issues: security@latticeruntime.com
- General questions: GitHub Discussions
- Enterprise support: enterprise@latticeruntime.com