Only the latest published release of AzRetirementMonitor on the PowerShell Gallery receives security fixes. Please upgrade to the latest version before reporting a vulnerability.

Please do not report security vulnerabilities through public GitHub issues.

To report a vulnerability, use one of the following private disclosure channels:

1. GitHub Security Advisories (preferred) — open a private security advisory directly in this repository. This keeps the report confidential until a fix is available.

2. Email — if you are unable to use GitHub Security Advisories, you may contact the maintainer privately through the contact information listed on the GitHub profile.

Please provide as much of the following as possible to help us understand and reproduce the issue:

• A description of the vulnerability and its potential impact
• The affected version(s)
• Steps to reproduce or a proof-of-concept
• Any suggested mitigations or fixes you have already identified

We will keep you informed throughout the process. If you do not receive an acknowledgment within the timeframe above, please follow up.

We follow coordinated (responsible) disclosure:

1. The vulnerability is reported privately.
2. We investigate, develop a fix, and prepare a new release.
3. A GitHub Security Advisory is published after the fix is released.

We kindly ask reporters not to publicly disclose a vulnerability until a fix has been released or 90 days have passed since the initial report, whichever comes first.

This security policy covers the PowerShell source code in this repository. It does not cover:

• Third-party dependencies (Az.Accounts, Az.Advisor, Azure Advisor REST API) — report those to Microsoft.
• Infrastructure or deployment environments operated by individual users.