Kotbusta follows a rolling release model with the main branch as the primary release channel.
| Version/Tag | Support Status | Notes |
|---|---|---|
main (latest) |
✅ Fully Supported | Recommended for production use |
| Tagged releases | Security patches only for critical vulnerabilities | |
| Development branches | ❌ Not Supported | Use at your own risk |
- Production Use: Always use the
maintag for the latest stable version - Updates: It is safe and recommended to update to the latest
mainDocker tag - Security Patches: Applied immediately to the
mainbranch
We take security seriously at Kotbusta. If you discover a security vulnerability, please follow these steps:
- Do not create a public issue
- Report vulnerabilities privately through GitHub Security Advisories
- Click "Report a vulnerability" button
- Provide detailed information including:
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested remediation (if any)
- Initial Response: Within 48 hours
- Vulnerability Assessment: Within 5 business days
- Patch Development: Based on severity:
- Critical: Within 24-48 hours
- High: Within 1 week
- Medium: Within 2 weeks
- Low: Next regular release
- Private Disclosure: Report through secure channels
- Verification: We verify and assess the vulnerability
- Fix Development: Create and test patches
- Coordinated Release:
- Apply fix to
mainbranch - Update Docker images
- Publish security advisory
- Apply fix to
- Public Disclosure: After patches are available
Kotbusta includes several security features:
- Kotlin Type Safety: Leverages Kotlin's null-safety and type system
- Minimal Dependencies: Reduced attack surface
- Container Isolation: Designed for containerized deployments
- Input Validation: Comprehensive request validation
- Secure Defaults: Security-first configuration
We appreciate security researchers who help keep Kotbusta secure. Contributors who report valid security issues will be acknowledged in our security advisories (with permission).