Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in SQLMesh, please report it through GitHub Security Advisories. Do not file a public issue for security vulnerabilities.

Response

We will acknowledge receipt of your report within 72 hours and aim to provide an initial assessment within one week.

Disclosure

We follow a coordinated disclosure process. We will work with you to understand and address the issue before any public disclosure.

Supported Versions

Security fixes are generally applied to the latest release. Critical vulnerabilities may be backported to recent prior releases at the discretion of the maintainers.