| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in Krama Core, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email rishi@nirvyalabs.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and aim to release a patch within 7 days for critical issues.
This policy covers the krama-core Python package and its dependencies.
It does not cover third-party ABDM sandbox environments or FHIR validators.
Krama Core takes the following precautions:
- No secrets in code — No API keys, tokens, or credentials are stored in the repository
- Dependency scanning —
pip-auditruns on every CI build - Static analysis —
banditscans for common Python security issues - Input validation — All inputs pass through Pydantic models before processing
- Minimal dependencies — Only
pydanticas a runtime dependency to reduce attack surface