Security updates are provided for the latest major version of each project. Check individual repository documentation for specific version support.
Do not open public issues for security vulnerabilities.
Report security issues via:
- Email: security@opensyntaxhq.dev
- Subject line:
[SECURITY] <brief description>
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
| Stage | Timeframe |
|---|---|
| Initial acknowledgment | 48 hours |
| Preliminary assessment | 7 days |
| Resolution target | 30 days (may vary by severity) |
- Report received and acknowledged
- Vulnerability verified and assessed
- Fix developed and tested
- Coordinated disclosure (if applicable)
- Security advisory published
- Credit given to reporter (unless anonymity requested)
We follow responsible disclosure practices:
- We'll work with you to understand and resolve the issue
- We'll credit reporters in security advisories
- We ask that you don't disclose publicly until we've had time to address the issue
This policy covers all repositories under OpenSyntaxHQ. Third-party dependencies should be reported to their respective maintainers.
Thanks for helping keep our projects safe.