Organization-wide security reporting policy lives in AzureLocal/.github/SECURITY.md.
Report vulnerabilities privately to the maintainers. Do not open public GitHub issues for security concerns.
- Acknowledgment SLA: 5 business days
- Resolution target: 14 days for high-severity
- In scope:
AzureLocal/platformsource code, reusable workflows, bootstrap scripts, MAPROOM framework, shared modules - Out of scope: upstream Azure Local / Arc vulnerabilities, physical-access issues, social engineering
See the org-wide policy for reporting details.