We currently support security fixes on the main branch. Tagged releases will receive fixes on a best-effort basis. If you discover a vulnerability affecting an older release, please mention the version in your report so we can help evaluate the impact.

If you discover a security vulnerability within Orion or any of its packages:

1. Do not create a public GitHub issue.
2. Email the maintainers at security@assoverse.app with the following details:
   • Description of the vulnerability
   • Steps to reproduce
   • Affected versions / packages
   • Potential impact (if known)
   • Suggested remediation (optional)
3. Encrypt sensitive details using our PGP key (available upon request) if needed.

You will receive an acknowledgement within 72 hours. We aim to provide an initial assessment within 5 business days. Once the fix is released, we will credit the reporter unless anonymity is requested.

• We will work with you to reproduce and resolve the issue.
• A coordinated disclosure date will be agreed upon, typically 30 days after the initial report unless the vulnerability is actively exploited.
• Security advisories will be published in the repository under .github/advisories and announced in the changelog.

Thank you for helping to keep Orion users safe.