If you have encountered a potential security vulnerability in this project, please report it to us at roberto@planta7.io. We will work with you to verify the vulnerability and patch it.

DO NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

• The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect the project's users, and provides them with a chance to upgrade and/or update in order to protect their applications.

If we verify a reported security vulnerability, our policy is:

• We will patch the current release branch, as well as the immediate prior minor release branch.

• After patching the release branches, we will immediately issue new security fix releases for each patched release branch.

• A security advisory will be released detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at https://github.com/planta7/servant/security/advisories.

This document is adapted from the Security Policies from GitHub and Laminas.