Skip to content

Security: erlef/security-wg

SECURITY.md

Security Policy

OpenSSF Vulnerability Disclosure GitHub Report Email Report

We take the security of this software seriously and are committed to ensuring that any vulnerabilities are addressed promptly and effectively.

This repository follows the OpenSSF Vulnerability Disclosure guide. You can learn more about it in the Finders Guide.

Reporting Security Issues

If you believe you have found a security vulnerability in this repository, please report it via GitHub Security Vulnerability Reporting at github.com/erlef/<project>/security/advisories/new or via email to security@erlef.org if that is more suitable for you.

Please do not report vulnerabilities through public channels such as GitHub issues, discussions, or pull requests, to avoid exposing the details of the issue before it has been properly addressed.

We don't implement a bug bounty program or bounty rewards, but will work with you to ensure that your findings get the appropriate handling.

When reporting a vulnerability, please include as much detail as possible to help us triage and resolve the issue efficiently. Information that will be specially helpful includes:

  • The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the issue
  • The location of the affected source code (e.g., tag, branch, commit, or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if available)
  • The potential impact, including how the issue might be exploited by an attacker

Our vulnerability management team will respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90-day disclosure timeline.

If you have any questions about reporting security issues, please contact our vulnerability management team at security@erlef.org.

There aren’t any published security advisories