The Armory

Gold Lapel takes security reports seriously. Please report privately — don't open a public GitHub issue for a vulnerability.

Contact: security@goldlapel.com

Or use GitHub's private vulnerability reporting on any goldlapel/* repo.

Supported versions

Gold Lapel is pre-1.0. No version is officially supported for security backports. Always upgrade to the latest release.

Enterprise agreements supersede this policy.

Response expectations

• Acknowledgement within 7 days.
• Coordinated disclosure within 180 days.

We'll tighten these SLAs as the team grows.

Scope

In scope: the goldlapel CLI, all language wrappers (goldlapel-python, goldlapel-js, goldlapel-ruby, goldlapel-java, goldlapel-php, goldlapel-go, goldlapel-dotnet), and the website (goldlapel.com, manor.goldlapel.com).

Out of scope: third-party infrastructure (Cloudflare, Stripe, SendGrid, Hetzner, GitHub) — report those directly to the provider.