Security
Epochly Security: Security Policy
How to report a vulnerability, our coordinated 90-day disclosure timeline, supported versions, and how Epochly handles your data.
Epochly is a Python performance-overlay package distributed via PyPI. This page describes our supported release surface, how to report a vulnerability, our coordinated-disclosure timeline, and how we handle data.
Supported Versions
Security patches target the latest minor release line of Epochly and the Python versions declared in the package metadata.
| Epochly line | Status | Notes |
|---|---|---|
| 0.6.x | Supported | Active line. Receives security patches. |
| < 0.6 | Best-effort | Guidance only; no guaranteed patches. Upgrade advised. |
Supported Python versions: 3.9 through 3.14, on Linux, macOS, and Windows.
Reporting a Vulnerability
Report suspected vulnerabilities privately to [email protected]. Please do not open public issues for unreleased vulnerabilities.
Please include:
- Affected Epochly version and installation method (wheel, sdist, editable).
- A minimal reproduction or proof of concept.
- Operating system, Python version, and relevant environment variables.
- Impact assessment, including whether the issue affects confidentiality, integrity, availability, sandboxing, telemetry, or update paths.
We acknowledge new private reports within five business days.
Coordinated Disclosure
Epochly follows coordinated, responsible disclosure with a default 90-day embargo from the acknowledged report date to the public advisory:
- Acknowledge the private report and assign a tracking handle.
- Reproduce, confirm impact, and identify affected version lines.
- Prepare and validate a fix on a private branch when needed.
- Publish a patched release and security advisory once users have an actionable update.
- Credit the reporter in the advisory (unless they request anonymity).
Disclosure timing may be shortened (for actively exploited issues, or when a coordinated upstream patch is already public) or lengthened by mutual agreement.
Data Handling
Epochly emits scrubbed, opt-out telemetry by default and opt-in heartbeat telemetry for Lens users. We never collect function inputs or outputs, user datasets, source trees, secrets, or local files. See Telemetry Data Flow for a field-by-field accounting and Threat Model for the adversaries we defend against.
To disable telemetry while keeping licensing endpoints reachable, set EPOCHLY_DISABLE_TELEMETRY=1. To go fully offline (license and telemetry endpoints suppressed), set EPOCHLY_OFFLINE_MODE=1. Telemetry is never a security boundary: disabling it never changes runtime correctness.