The Octovel Security Policy outlines how vulnerabilities are reported, handled, and communicated across our open-source projects.
This document ensures transparency and a clear process for researchers, contributors, and users to maintain the safety and reliability of the Octovel ecosystem.

Each Octovel project maintains its own versioning and lifecycle policy.
While details may vary, we follow a consistent approach to ensure continued security support across all maintained projects.

General Policy

• Security updates are provided for the latest major version of each project.
• Critical fixes may be backported to older versions where feasible.
• Projects under version 0.x are considered experimental and may not receive active security maintenance.

Finding Version Information

You can find version and support details by checking the project's README.md, SECURITY.md, or release section on GitHub.
For global support timelines and compatibility information, visit https://docs.octovel.com.

If you identify a security issue, please do not disclose it publicly.
Octovel maintains a private disclosure process to ensure responsible and secure handling of vulnerabilities.

Disclosure Process

1. Do not open a public issue.
2. Send a private report to security@octovel.com.
3. Include the following details in your message:
   • Project name and version
   • Description of the vulnerability
   • Steps to reproduce
   • Proof-of-concept or demonstration if available
   • Your contact information for follow-up

Our Commitment

Octovel’s security team will respond within three business days.
We will keep you informed throughout the remediation process and may credit your discovery in our acknowledgments unless anonymity is requested.

Security updates are delivered through patch releases for the latest supported versions (for example, 1.0.1, 1.0.2).
Users are encouraged to remain on the latest version to benefit from ongoing fixes and improvements.

Users can help maintain security by following these recommended practices:

• Keep dependencies and applications updated
• Use unique, strong passwords and enable two-factor authentication
• Review permissions granted to applications and integrations
• Stay informed about security announcements related to Octovel projects

Contributors play a vital role in maintaining code integrity. All contributions should adhere to secure development standards:

• Follow secure coding practices and validate all user input
• Never commit credentials, API keys, or sensitive data
• Keep dependencies current and remove unused packages
• Write and maintain tests for critical components

Octovel adheres to modern data protection and privacy standards.
Sensitive information is encrypted in transit and at rest, and periodic audits are conducted on our infrastructure and internal processes.

All third-party dependencies undergo review and are monitored for known vulnerabilities.
Dependency updates are regularly applied to ensure continued security compliance.

By submitting a report, you agree to our responsible disclosure policy.
We will not pursue legal action against researchers who act in good faith, avoid privacy violations or data destruction, and allow reasonable time for resolution before public disclosure.

For all security-related inquiries, please contact: security@octovel.com