Security Policy

We take the security of C+, the cpc toolchain, and the standard library seriously. If you believe you have found a vulnerability, please report it privately so we can fix it before it is disclosed.

Reporting a vulnerability

Email security@cplus-lang.dev with a description of the issue. Please do not open a public issue for security reports. A good report includes:

• The component and version affected (for example, cpc --version output).
• A description of the vulnerability and its impact.
• Steps to reproduce, ideally a minimal proof of concept.
• Any suggested remediation, if you have one.

What to expect

• We will acknowledge your report within three business days.
• We will work with you to understand and validate the issue and keep you informed of our progress.
• We will credit you in the advisory when a fix ships, unless you prefer to remain anonymous.

Coordinated disclosure

We ask that you give us a reasonable opportunity to fix an issue before any public disclosure, and that you avoid privacy violations, data destruction, and service degradation while researching. We will publish an advisory once a fix is available and users have had a reasonable window to update.

Scope

This policy covers the C+ compiler, language tooling, and first-party libraries published by the project. Reports about third-party packages should go to their respective maintainers.