We only provide security updates for the latest stable release. If you are running an older version, please upgrade before reporting a vulnerability.

Please do not open a public GitHub issue for security vulnerabilities. Publicly disclosing a vulnerability can put the entire community at risk before we have a chance to fix it.

If you have discovered a security vulnerability in any CodeCanvas Collective repository, please report it via one of the following methods:

1. Email: Send a detailed report to [INSERT EMAIL HERE - e.g. security@codecanvas.xyz].
   • Please include steps to reproduce the vulnerability.
   • If possible, include a Proof of Concept (PoC).
2. GitHub Private Reporting: If the repository has "Private Vulnerability Reporting" enabled, you can go to the Security tab -> Advisories -> Report a vulnerability.

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
2. Assessment: We will confirm the vulnerability and determine its severity.
3. Fix: We will work on a patch in a private environment.
4. Disclosure: Once the patch is released, we will publicly disclose the vulnerability and credit you (if desired).

We ask that you give us a reasonable amount of time (typically 90 days) to fix the issue before making it public. In return, we pledge not to take legal action against you as long as you act in good faith and follow this policy.

The following are strictly prohibited:

• Denial of Service (DoS/DDoS) attacks.
• Social engineering or phishing of our contributors.
• Physical attacks against our infrastructure or members.
• Automated scanners (please do not spam us with raw scanner output).

We believe in giving credit where credit is due. If you responsibly report a vulnerability that leads to a fix, we will list you in our Security Hall of Fame (in the release notes).

Thank you for keeping CodeCanvas Collective safe! 🛡️