This policy applies to all repositories under the github.com/yeoman organization.

We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues. Please follow the guidelines below to report any security issues privately.

If you discover a security vulnerability, it is crucial that you do not create a public issue under any circumstances. Public issues can inadvertently expose the vulnerability, potentially leading to exploitation before a fix is available.

Instead, please report the vulnerability via the GitHub Security Advisory for the relevant repository. This private channel ensures only maintainers can access the details, enabling a timely and secure resolution. We fully utilize the capabilities that the GitHub Security Advisory platform provides, including private communication channels and coordinated disclosure options.

If you are unable to use the GitHub Security Advisory for any reason, you may report the issue via email to ulises@linux.com. If you would like to encrypt sensitive information, please use our PGP key, available at: https://github.com/ulisesgascon.gpg

When sending an email, please include:

• Steps to reproduce the issue.
• A description of the vulnerability and its potential impact.
• Any supporting information or proof of concept.

We also support Coordinated Vulnerability Disclosure (CVD). By following this process, we can collaborate on fixes and ensure vulnerabilities are not publicly disclosed until they are properly addressed.

🚨Do not create a public issue to report a security vulnerability. This is to protect both the project and its users from potential exploitation before the issue is resolved.

• Acknowledgment: We will acknowledge receipt of your report within 2–5 working days.
• Progress Updates: We will keep you informed as we investigate and work on a fix.
• Resolution Time: We aim to resolve confirmed vulnerabilities within 30 days, but complex issues may take longer.
• Public Disclosure: We coordinate with you on public disclosure only after a fix or mitigation is in place.
• Researcher Recognition: With your permission, we acknowledge security researchers in the public advisory after the fix.

We appreciate and value the contributions of security researchers who take the time to responsibly disclose vulnerabilities. We can acknowledge your contribution (with your permission) once the fix is published, or you may remain anonymous if you prefer.

Thank you for helping us maintain a secure environment across all Yeoman repositories!