|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +We're extremely grateful for security researchers and users who report vulnerabilities they discovered in modelpack. |
| 6 | +All reports are thoroughly reviewed and investigated. |
| 7 | + |
| 8 | +### When Should I Report a Vulnerability? |
| 9 | + |
| 10 | +You should report if: |
| 11 | + |
| 12 | +- You think you have discovered a potential security vulnerability in modepack |
| 13 | +- You are uncertain about the security impact of an issue you found in modelpack |
| 14 | + |
| 15 | +### How to Report a Vulnerability? |
| 16 | + |
| 17 | +Please report a vulnerability using GitHub’s [Security Advisories](https://github.com/modelpack/community/security). |
| 18 | +**Do not create a public issue, pull request, or discussion**. |
| 19 | + |
| 20 | +To submit a report, navigate to the community repository's main page, open the **Security** tab, select **Advisories** from the sidebar, |
| 21 | +click **Report a vulnerability**, provide the required details, and submit. |
| 22 | +This process will create a private advisory visible only to the maintainers for review. |
| 23 | + |
| 24 | +### Security Vulnerability Response |
| 25 | + |
| 26 | +Our maintainers will review and respond to your report within **5 working days**. Depending on the severity and complexity of the issue, resolution times may vary, but we will keep you informed throughout the process. |
| 27 | + |
| 28 | +### Supported Versions |
| 29 | + |
| 30 | +We only provide security fixes for the latest major version. |
| 31 | + |
| 32 | +| Version | Security Fixes Provided | |
| 33 | +|---------------|-------------------------| |
| 34 | +| `@latest` | Yes | |
| 35 | +| Older versions| Not Guaranteed | |
| 36 | + |
| 37 | +### Public Disclosure Timing |
| 38 | + |
| 39 | +The disclosure date will be agreed upon between the modelpack maintainers and the reporter. |
| 40 | +In general: |
| 41 | + |
| 42 | +- Immediate disclosure may occur if the issue is already public. |
| 43 | +- For vulnerabilities with straightforward fixes, disclosure is typically within **7 days** of the report. |
| 44 | +- For complex issues requiring more time to investigate and validate fixes, disclosure may be delayed—up to a maximum of **90 days**. |
| 45 | + |
| 46 | +Delays may also be necessary if the bug or fix is not yet fully understood or adequately tested. |
0 commit comments