| Version | Supported |
|---|---|
| v2.x | ✅ Active |
| v1.x | ❌ End of life |
Do NOT open a public issue for security vulnerabilities.
Instead:
- Email: security@opensecdevops.dev (or use GitHub's private vulnerability reporting)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release
OSDO follows security best practices:
- All dependencies scanned with OSDO's own tools
- Signed releases (Cosign/Sigstore)
- SBOM generated for every release
- SLSA Level 2 provenance (planned)
- Regular security audits
We thank all security researchers who responsibly disclose vulnerabilities.