This policy is the default for every repository in the IDev4life organization
that does not provide its own SECURITY.md.
Security fixes are provided for the latest released major version of each project. Older majors are supported on a best-effort basis only.
Please do not open a public GitHub issue or pull request for security problems.
Preferred channel: use GitHub's private vulnerability reporting on the affected
repository — Security tab → Report a vulnerability.
If private reporting is not available, email contact@dev1sme.cloud with:
- a description of the issue and its impact,
- affected repository, branch, or release,
- minimal steps or proof-of-concept to reproduce,
- your contact information for follow-up.
Please encrypt sensitive details if possible and avoid sharing exploit material on public channels.
- Acknowledgement of receipt within 3 business days.
- A triage decision (accepted / needs-info / out-of-scope) within 7 business days.
- Coordinated disclosure: we will agree on a timeline with you before any public advisory or CVE is published.
- Credit in the release notes / advisory if you wish.
- Issues that require a compromised developer machine or a compromised maintainer account.
- Vulnerabilities in third-party dependencies already tracked by Dependabot or GHSA — please report those upstream.
- Denial of service caused by abusive workloads against shared infrastructure.
Thank you for helping keep IDev4life and its users safe.