OpenJustice is an open-source information management platform. We take the security of our project and its users seriously. This document outlines our responsible disclosure policy.

If you discover a security vulnerability, please report it by emailing bundukamarasaidu@gmail.com. Do not open a public issue for security-related bugs.

To help us triage and respond effectively, please include the following:

• Description: A clear summary of the vulnerability.
• Steps to Reproduce: Detailed instructions to reliably reproduce the issue.
• Impact Assessment: Your evaluation of the severity and potential consequences.
• Suggested Fix: If you have a proposed remediation, include it. This is optional but appreciated.

• Acknowledgment: We will confirm receipt of your report within 48 hours.
• Status Update: We will provide an initial assessment and status update within 7 days.
• Resolution: We aim to resolve confirmed vulnerabilities within 30 days, depending on complexity.

We will keep you informed of progress throughout the process.

The following are in scope for this policy:

• The OpenJustice codebase (this repository and any officially maintained modules).
• Official deployments of OpenJustice operated by the project maintainers.

The following are out of scope:

• Third-party dependencies: Vulnerabilities in upstream libraries or frameworks should be reported directly to their respective maintainers.
• Social engineering: Attacks targeting people (phishing, pretexting, etc.) rather than the software itself.
• Denial of service testing: Do not perform DoS or DDoS testing against any OpenJustice deployment.

We support security research conducted in good faith. Researchers who follow this policy and make a reasonable effort to avoid harm will not face legal action from the OpenJustice project. We ask that you:

• Act in good faith and avoid privacy violations, data destruction, or service disruption.
• Only interact with accounts you own or have explicit permission to test.
• Report vulnerabilities promptly and allow reasonable time for remediation before any public disclosure.

We value the contributions of security researchers. With your permission, we will credit responsible reporters in our release notes. If you prefer to remain anonymous, we will respect that preference.

For all security-related communications, reach us at bundukamarasaidu@gmail.com.