Skip to content

Security: openchoreo/openchoreo

SECURITY.md

Security Policy

OpenChoreo takes the security of our users and the ecosystem seriously. We follow coordinated disclosure practices and appreciate the community's help in keeping the project secure.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, report them privately using GitHub's private vulnerability reporting:

Report a vulnerability (Security → Advisories → Report a vulnerability)

Please include as much detail as you can:

  • A clear description of the issue.
  • The affected component and version(s).
  • Steps or a proof of concept to reproduce it.
  • The potential impact.

If you would like to help fix the issue, you are welcome to propose a fix privately through the advisory's temporary private fork.

We will acknowledge your report within 3 business days and keep you informed as we work toward a fix.

Disclosure Process

We use GitHub Security Advisories, with GitHub acting as the CVE Numbering Authority (CNA). Once a report is received:

  1. Maintainers validate the report and assess severity.
  2. A fix is developed privately within the security advisory.
  3. A CVE is requested through the advisory, and the fix is released.
  4. The advisory is published, and the reporter is credited unless anonymity is requested.

Supported Versions

For the versions that receive security fixes, see our release and support process.

Learn more about advisories related to openchoreo/openchoreo in the GitHub Advisory Database