The following versions of Mere are currently supported with security updates:

If you discover a security vulnerability, please report it responsibly.

Send your report to: enrique@github.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Affected versions
• Suggested fix (if known)

1. Confirmation: We will acknowledge receipt of your report within 48 hours
2. Investigation: We will investigate and assess the severity
3. Resolution: We will aim to patch within 7 days for critical issues
4. Disclosure: We will coordinate disclosure timing with you

• We will publicly disclose the vulnerability within 90 days
• You will be credited in the security advisory
• We will not disclose your contact information without permission
• Critical vulnerabilities may be disclosed sooner

When using Mere, follow these security practices:

• Only install from official sources: GitHub releases or mere.enriquefft.com
• Verify checksums if provided
• Keep Mere updated to the latest version

• Review generated code before committing
• Don't expose API keys or secrets in code
• Use .claude/ only in trusted projects
• Review interface contracts (INTERFACE.md) for security implications

• Keep .claude/ directory version controlled
• Don't commit sensitive information
• Review changes to interface files
• Use environment variables for secrets

Mere includes these security considerations:

• Zero remote execution: All code is generated locally by AI
• No telemetry: No data is sent to external servers
• Minimal dependencies: Only necessary packages are included
• Source transparency: Full source code is available

• Last Audit: TBD
• Next Audit: Planned for v1.0
• Auditor: To be determined

If you have questions about this security policy or a vulnerability report, contact us at:

📧 enrique@github.com

• CVE Mitre
• OWASP
• Responsible Disclosure