The 0.x series is pre-stable. We patch security issues in the latest minor release.

Please open a private security advisory on GitHub:

1. Go to the repository's Security tab.
2. Click Report a vulnerability.
3. Provide a description, affected version, and a minimal reproduction.

We aim to respond within 7 days and to publish a fix within 30 days for high-severity issues.

Do not file public issues for security problems.

Lumen runs locally; it does not open network sockets, write outside build/, or execute downloaded code. The current attack surface is:

• .lumen parser — accepts arbitrary text; treats it as a specification, not as code to execute.
• CLI — reads files the user passes; writes to build/.

If you find an input that causes Lumen to write outside build/, exfiltrate environment variables, or run user-supplied code paths beyond the EML evaluator, that is a vulnerability and we want to hear about it.