SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the maintainer directly or use GitHub's private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

Response Timeline

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix timeline: Depends on severity

Scope

Security issues we care about:

• Authentication/authorization bypasses
• Data leaks (API keys, tokens, personal data)
• Remote code execution
• Injection vulnerabilities

Out of scope:

• Issues requiring physical device access
• Social engineering
• Third-party dependencies (report to them directly)

Supported Versions

Version	Supported
1.x	Yes

Thank you for helping keep OpenVision secure!