If you discover a security vulnerability in any Archipelag.io repository, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email security@archipelag.io with:
- A description of the vulnerability
- Steps to reproduce the issue
- The affected repository and version (if known)
- Any potential impact assessment
- Suggested fix (if you have one)
- Acknowledgment: Within 48 hours of your report
- Assessment: Within 7 days we will provide an initial assessment
- Fix: Critical vulnerabilities will be prioritized for immediate patching
This policy applies to all public repositories in the archipelag-io organization:
websitearchipelag-pythonarchipelag-jsapi-docs
We provide security fixes for the latest release of each package. Older versions are not actively supported.
We appreciate responsible disclosure and will credit reporters (with permission) in release notes when vulnerabilities are fixed.