The following is the default security policy for all repos within the Veraison organisation. Some repos may have a distinct security policy that overrides this policy, so please check the security tab for any repo of interest.

The Veraison team are very grateful to receive reports of any suspected security vulnerabilities in any of the components. To make a report please email the private security list at [email protected] with details of the problem. It would be useful if you can include an outline of the vulnerability and steps required to reproduce it (if applicable) and any current release or tag information maintained by the repo.

All reports will be thoroughly investigated by a core team. This team will communicate with the reporter of any issue to clarify any information required and to report progress of the investigation. When the investigation is complete and it is determined that a fix or workaround is required, this will be published disclosing the vulnerability and crediting the reporter for their contribution (unless they would prefer to remain anonymous).