OpenChoreo takes the security of our users and the ecosystem seriously. We follow coordinated disclosure practices and appreciate the community's help in keeping the project secure.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, report them privately using GitHub's private vulnerability reporting:
Report a vulnerability (Security → Advisories → Report a vulnerability)
Please include as much detail as you can:
- A clear description of the issue.
- The affected component and version(s).
- Steps or a proof of concept to reproduce it.
- The potential impact.
If you would like to help fix the issue, you are welcome to propose a fix privately through the advisory's temporary private fork.
We will acknowledge your report within 3 business days and keep you informed as we work toward a fix.
We use GitHub Security Advisories, with GitHub acting as the CVE Numbering Authority (CNA). Once a report is received:
- Maintainers validate the report and assess severity.
- A fix is developed privately within the security advisory.
- A CVE is requested through the advisory, and the fix is released.
- The advisory is published, and the reporter is credited unless anonymity is requested.
For the versions that receive security fixes, see our release and support process.