Jo is a language project for secure programming. Security reports are taken seriously, including compiler bugs, type-system soundness issues, capability escape bugs, sandboxing assumptions, supply-chain issues, and vulnerabilities in project tooling.
Do not report security vulnerabilities in public issues, pull requests, or discussions.
Use GitHub private vulnerability reporting for this repository. If private vulnerability reporting is not available, contact the maintainer privately before sharing details publicly.
When reporting a vulnerability, include:
- A short description of the issue
- Steps to reproduce it
- A minimal Jo program or command, if applicable
- Expected behavior
- Actual behavior
- Any known impact or workaround
Jo is currently early-stage software. Until the first stable release, security fixes are applied to the main development branch.
Please give the maintainers reasonable time to investigate and fix confirmed issues before public disclosure.