We take security seriously and provide security updates for the following versions:

Note: Only the latest major version receives security updates. Please upgrade to the latest version to ensure you have the latest security patches.

Please do not report security vulnerabilities through public GitHub issues.

We strongly encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please report it privately using one of the following methods:

1. Navigate to the repository's Security tab
2. Click "Report a vulnerability"
3. Fill out the advisory form with details about the vulnerability
4. Submit the report

GitHub Security Advisories allow us to:

• Discuss the vulnerability privately
• Collaborate on a fix
• Publish a CVE if needed
• Credit you for the discovery

Report URL: https://github.com/{{ORG_NAME}}/.github/security/advisories/new

If you prefer email or cannot use GitHub Security Advisories, email us at:

📧 security@{{ORG_NAME}}.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

For security issues that are:

• Already publicly disclosed
• Low severity and don't pose immediate risk
• Security enhancements or hardening suggestions

You may create a public issue using our Security Vulnerability template.

We are committed to responding quickly to security reports:

Response times may vary based on:

• Severity of the vulnerability
• Complexity of the fix
• Need for coordinated disclosure with other parties

1. Report Received - We acknowledge receipt within 24 hours
2. Assessment - We evaluate severity and impact (72 hours)
3. Remediation - We develop and test a fix
4. Disclosure - We coordinate disclosure timing with you
5. Release - We deploy the fix and publish an advisory
6. Credit - We publicly credit you (unless you prefer anonymity)

We use the CVSS 3.1 scoring system:

• Critical (9.0-10.0): Immediate action required
• High (7.0-8.9): Urgent fix needed
• Medium (4.0-6.9): Important fix needed
• Low (0.1-3.9): Minor issue

Status: Coming Soon

We are planning to launch a bug bounty program to reward security researchers who responsibly disclose vulnerabilities. Details will be published here when available.

Interested in participating? Watch this repository or contact us at security@{{ORG_NAME}}.com.

We use the following automated security tools to detect vulnerabilities:

• TruffleHog - Scans for secrets, API keys, tokens
• Gitleaks - Detects hardcoded credentials and sensitive data
• detect-secrets - Prevents secrets from entering the codebase

• Dependabot - Automated dependency updates and security patches
• GitHub Advanced Security - Dependency vulnerability scanning

• CodeQL - Semantic code analysis for security vulnerabilities
• Semgrep - Static analysis for security patterns

Our security workflows run automatically on every push and pull request:

• 🔒 Secret Scanning - .github/workflows/security-scan.yml
• 🔍 Code Scanning (CodeQL) - .github/workflows/codeql-analysis.yml
• 📦 Dependency Review - .github/workflows/dependency-review.yml

View all security workflows: Security Workflows

When contributing to this project:

• ✅ Never commit secrets, API keys, passwords, or tokens
• ✅ Use environment variables or secrets management for sensitive data
• ✅ Keep dependencies up to date
• ✅ Follow secure coding practices
• ✅ Review our CONTRIBUTING.md guidelines
• ✅ Run security checks locally before pushing

• General Security Issues: security@{{ORG_NAME}}.com
• Security Team: @{{ORG_NAME}}/security
• Emergency Contact: Create a private security advisory

We thank the following researchers for responsibly disclosing security vulnerabilities:

No vulnerabilities reported yet.

Last Updated: January 12, 2026

For general questions about this policy, please contact security@{{ORG_NAME}}.com.