Skip to content

Security: ap-iso-test-org/.github

Security

SECURITY.md

Security Policy

ap-iso-test-org is a public reference organization. It does not host production services or customer data. However, if you discover a security issue in any code or configuration in this organization that could be useful to demonstrate or fix, please follow this disclosure procedure.

Reporting

Open a private security advisory through GitHub:

  • Go to the affected repository.
  • Click the Security tab.
  • Click Report a vulnerability.

This creates a private discussion between you and the repository maintainers without disclosing the issue publicly.

If the Security tab is not visible or you cannot use private advisories, open a public issue with as little detail as necessary to flag the problem and request a private channel.

What to include

A useful report contains:

  • The repository and file path or URL where the issue exists.
  • A description of the issue and its potential impact.
  • Steps to reproduce (proof-of-concept welcome but not required).
  • Any suggested remediation.
  • Whether you would like to be credited.

Response expectations

This is a small, single-maintainer reference organization. Aim:

  • Acknowledge within 5 business days.
  • Initial assessment within 10 business days.
  • Remediation timeline communicated after assessment, scaled to severity.

For a production organization replicating this configuration, the recommended targets are tighter (acknowledge within 1 business day, assess within 3, remediate critical within 7). Document the chosen targets in the production org's own SECURITY.md and the supporting ISMS incident-response plan.

Scope

In scope:

  • Source code in any repository owned by ap-iso-test-org.
  • Repository configuration and GitHub Actions workflows.
  • Documentation that gives misleading or insecure guidance.

Out of scope:

  • Vulnerabilities in third-party dependencies that have already been disclosed and have available patches (please use Dependabot or equivalent).
  • Issues that require physical access to a maintainer's hardware.
  • Social-engineering attempts.

ISO 27001 reference

This policy supports ISO/IEC 27001:2022 Annex A controls A.5.7 (threat intelligence), A.5.24–A.5.27 (incident management), and A.8.8 (technical vulnerability management).

There aren't any published security advisories