Security fixes are prioritized for actively maintained repositories in this organization.

If you're unsure whether a repo is supported, report it anyway.

Please report security issues privately.

• Preferred: GitHub Private Vulnerability Reporting (if enabled on the affected repo)
• Otherwise: open a private security advisory on the affected repo

Include:

• Affected repository + version/commit
• Reproduction steps or proof-of-concept
• Impact assessment (what an attacker can do)
• Any suggested fix (if you have one)

• Acknowledgement: within 72 hours
• Status updates: at least every 7 days until resolved
• Fix + disclosure: we'll coordinate a timeline with you

• Publicly disclose before we confirm a fix timeline
• Run automated scanners aggressively against GitHub-hosted infrastructure