The security of Projects and our users is our top priority. We appreciate your efforts to responsibly disclose any security vulnerabilities you discover.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities through one of the following methods:

1. GitHub Security Advisories (Preferred):

   • Go to the Security Advisories page
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

2. Private Communication:

   • If you prefer not to use GitHub Security Advisories, please contact the repository maintainers directly
   • Look for contact information in the repository or organization profile

When reporting a vulnerability, please include:

• Description: A clear description of the vulnerability
• Impact: The potential impact and severity of the issue
• Steps to Reproduce: Detailed steps to reproduce the vulnerability
• Affected Versions: Which versions of Projects are affected
• Proof of Concept: If possible, include a proof of concept (but please do so responsibly)
• Suggested Fix: If you have ideas for how to fix the issue, we'd love to hear them

After you submit a vulnerability report:

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
2. Assessment: We will assess the vulnerability and determine its severity
3. Updates: We will keep you informed about our progress
4. Resolution: We will work to resolve the issue as quickly as possible
5. Disclosure: Once fixed, we will coordinate disclosure timing with you

• Critical vulnerabilities: We aim to patch within 7 days
• High severity: We aim to patch within 30 days
• Medium severity: We aim to patch within 60 days
• Low severity: We will address in a regular release cycle

These are target timelines and may vary based on the complexity of the issue.

When a security vulnerability is fixed:

1. We will release a security patch
2. We will publish a security advisory
3. We will credit the reporter (unless they prefer to remain anonymous)
4. We will notify users through appropriate channels

Please check the releases page or documentation for information about which versions of Projects currently receive security updates.

As a general policy:

• The latest major version receives security updates
• Previous major versions may receive critical security updates for a limited time
• Older versions are not supported and users should upgrade

To help keep your Projects installation secure:

1. Keep Updated: Always use the latest version of Projects
2. Monitor Advisories: Watch this repository for security advisories
3. Report Issues: If you notice something suspicious, report it
4. Follow Guidelines: Adhere to recommended configuration and usage guidelines

This security policy covers:

• The Projects application itself
• Official plugins and extensions (if any)
• This repository and its contents

This policy does not cover:

• Third-party plugins or modifications
• Issues in dependencies (please report those to the respective projects)
• User-specific configuration issues
• Social engineering attacks

We appreciate security researchers who help keep Projects secure. Reporters of valid security issues may be:

• Acknowledged in security advisories (with their permission)
• Credited in release notes
• Listed in a security hall of fame (if we establish one)

At this time, we do not offer a paid bug bounty program. However, we greatly appreciate responsible disclosure and will recognize contributors appropriately.

If you have questions about this security policy or need clarification on the reporting process, please create an issue using the "Question" template or contact the maintainers directly.

This security policy may be updated from time to time. Please check back periodically for changes.

Last Updated: 2025-11-10

Thank you for helping keep Projects and our users safe! 🔒