The latest release of each project receives security updates. Older versions are not supported.
Do not open a public issue for security concerns.
This file is a fallback policy for repositories that do not define their own SECURITY.md.
If a repository has a local security policy, that repository policy takes precedence.
Instead, use GitHub's private vulnerability reporting:
- Navigate to the affected repository
- Go to the Security tab
- Click Report a vulnerability
If private reporting is unavailable in the target repository, do not disclose details publicly. Open a minimal "security contact request" in Discussions without vulnerability details, then move to a confidential channel before sharing technical information.
Please include:
- affected repository and default branch
- impacted version(s) or commit range
- reproduction steps and prerequisites
- impact assessment (confidentiality / integrity / availability)
- proof-of-concept details (only in private reports)
We aim to:
- Acknowledge reports within 48 hours
- Provide a status update within 7 days
- Release a fix within 30 days for confirmed issues
Coordinated disclosure preferred. We will credit reporters in release notes unless anonymity is requested.