Only the latest released version of this project is supported with security updates.
Older versions do not receive security fixes.
If you discover a security vulnerability, do not report it publicly.
Instead, report it using GitHub Security Advisories for this repository.
This allows responsible disclosure and coordinated remediation.
- Public disclosure of security issues before coordination is not permitted.
- Please allow the maintainer to investigate and address the issue before sharing details publicly.
This project is a base web framework, and vulnerabilities may affect a large number of downstream applications.
- Initial response: within 72 hours
- Remediation: depends on severity and complexity. The goal is to resolve or mitigate the issue within 72 hours after the initial response whenever possible.
- Security fixes are distributed via regular releases.
- Semantic Versioning is followed.
- Dependabot is enabled to assist with third-party dependency updates.
This project depends on external libraries, including (but not limited to):
Security advisories affecting these dependencies may also impact this project, so please inform the maintainer if you are aware of any.
Security reporters may be acknowledged in release notes or advisories if they wish.
The project maintainer is responsible for:
- Security triage
- Vulnerability assessment
- Coordinating fixes and releases