At Opendex Corporation, the security of our software, services, and repositories is a strategic priority.
We are committed to maintaining resilient, reliable, and transparent systems for our customers, partners, and the broader community.
If you discover a potential vulnerability in any Opendex component, please follow the reporting process described below.
- Do not report vulnerabilities via public GitHub issues or discussions.
- All reports must be submitted privately to our security team at:
security@opendex.org - For encrypted communication, you may request our PGP key via the same email address.
The key will also be published at: https://community.opendex.dev/security/pgp (in preparation)
To help us investigate and respond efficiently, please provide as much of the following information as possible:
- Technical description of the issue (e.g., buffer overflow, SQL injection, XSS, privilege escalation).
- Affected files, paths, or modules, including tag, branch, commit, or direct URL.
- Any special configuration required to reproduce the issue.
- Detailed reproduction steps.
- Proof of concept (PoC) or working exploit, if available.
- Assessment of potential impact and possible exploitation scenarios.
- English
- Spanish
Opendex follows the Coordinated Vulnerability Disclosure (CVD) framework:
- The researcher responsibly reports the vulnerability to the Opendex security team.
- Opendex acknowledges receipt and begins validation and mitigation.
- A reasonable disclosure timeline is coordinated with the researcher.
- Once remediation is complete, Opendex publishes the technical details and, if authorized, credits the researcher for their contribution.
Opendex values the contributions of the security community. Upon request, we publicly acknowledge researchers who help strengthen the security of our platform.