This document describes the security policy for this repository, including which versions receive security updates and how to report vulnerabilities.
Maintainers develop and merge security fixes on the default branch
(main) and publish those fixes in the latest tagged release. Older
releases and tags do not receive security updates. Users should track
the latest tagged release for security patches.
| Version | Supported |
|---|---|
| Latest tagged release | ✅ |
| Older releases/tags | ❌ |
If you discover a security vulnerability in this project, please report it privately so that maintainers can investigate and release a fix before the issue becomes publicly known.
Use GitHub's private vulnerability reporting feature:
- Navigate to the Security tab of this repository.
- Click Report a vulnerability.
- Provide as much detail as possible (see below).
This creates a private advisory visible to maintainers.
If you cannot use GitHub's private reporting, send an email to the Linux Foundation Release Engineering team at:
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
To help maintainers triage and resolve the report, please include:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce the issue (proof-of-concept code or commands).
- The affected version(s), commit SHA, or release tag.
- Any known mitigations or workarounds.
- Your name and contact details for follow-up (optional).
Maintainers will acknowledge receipt of vulnerability reports within 5 business days. We aim to:
- Confirm the vulnerability and determine its severity.
- Develop and test a fix in a private branch or advisory.
- Coordinate a disclosure timeline with the reporter.
- Release a patched version and publish a security advisory.
We follow a responsible disclosure process and credit reporters in the published advisory unless they request to remain anonymous.
This policy covers the source code, configuration, and documentation in this repository. Please report vulnerabilities in upstream dependencies to their respective maintainers; this project will update affected dependencies once fixes become available.