Security fixes, if issued, should be expected on the latest supported 0.x line. Older snapshots, generated artifacts, and local forks are not maintained as supported release lines.

For non-security questions or bug reports, use SUPPORT.md.

Do not open a public issue with exploit details.

Use GitHub private vulnerability reporting for this repo. Open the Security tab, then use the private report flow.

If that GitHub path is unavailable, open a minimal public issue that asks for a private contact path and keep the report details out of the issue body.

Please include enough detail for a fast triage. We will confirm receipt, reproduce the issue, and keep the report private until we have a fix plan.

Include:

• affected file, surface, or command
• impact and expected severity
• clear reproduction steps
• any known workaround or mitigation

This policy covers the shipped Python package under src/rally/, bundled runtime assets under src/rally/_bundled/, and the shipped Rally-owned prompt, skill, and stdlib content in this repo.