This is the default security policy for all repositories in the
wickra-lib organization. Individual
repositories may publish their own SECURITY.md, which takes precedence over
this one — for example the main library
(wickra) has a
more detailed policy covering its supported versions, scope, and assurance case.
Do not open a public issue for a security vulnerability.
Report it privately through one of:
- GitHub's private vulnerability reporting — open the affected repository's Security tab and choose "Report a vulnerability", or
- email support@wickra.org with a subject line starting with
[wickra security].
Please include:
- the affected repository and version(s) or commit,
- a description of the issue and its impact,
- steps to reproduce, ideally a minimal proof of concept.
- An acknowledgement within 5 working days.
- An assessment and, if confirmed, a planned fix with a target release.
- Coordinated disclosure: we agree on a disclosure date with you and credit you in the release notes unless you prefer to stay anonymous.
In scope: the source code, build and release workflows, and published artifacts of repositories in this organization.
Out of scope: vulnerabilities in third-party dependencies (report those upstream; we track them via Dependabot). Findings that do not affect a project — for example an unreachable code path — are triaged and recorded rather than acted on blindly.