Security Policy

Supported Versions

Use this section to tell people about which versions of your project are currently being supported with security updates.

Please use one of the following channels to report security issues:

GitHub Security Advisories (recommended)
- Open the repository, go to the "Security" tab → "Advisories" → "Report a vulnerability".
- This creates a private, coordinated disclosure workflow.
If the advisories feature is not available, open a GitHub Issue with the label security and mark it confidential, or use the repository's "Report a vulnerability" link if present.
For sensitive reports, email the maintainers at: CarnegieJ@IAYFconsulting.com
- If you email, please encrypt sensitive information using our PGP key (if available) or attach safe reproduction steps.

Include the following in your report:

Acknowledgement: We aim to acknowledge all valid reports within 3 business days.
Initial triage: We will triage and classify severity within 7 calendar days.
Resolution: Timeline for fixes depends on severity. Critical issues will be prioritized and patched as soon as feasible.
Updates: We will provide status updates at least weekly until resolved.
CVE: We will coordinate CVE requests for applicable vulnerabilities.

Please do not publicly disclose details of a security issue until a patch or mitigation is released.
Responsible disclosure is appreciated — public disclosure before a fix may lead to delayed support for affected users.

We will publish release notes describing the fix and affected versions.
Users are advised to upgrade to a supported patched version as soon as practical.

If you need a faster response or have escalation requirements, include "URGENT" in the subject line and provide your preferred contact method.

Project by IAYF Consulting