Security fixes are published for the latest released package versions unless a release note says otherwise.
Report suspected vulnerabilities privately through GitHub security advisories for aep-foundation/aep-node.
Include:
- Affected package and version.
- A minimal reproduction or affected code path.
- Expected impact.
- Whether the issue is already public.
Do not open a public issue for an active vulnerability.
Security reports are appropriate for issues that can compromise protocol authentication, credential handling, enrollment state, service authorization, package integrity, or runtime isolation.
General protocol design discussion belongs in the AEP specifications repository.