OpenChoreo takes the security of our users and the ecosystem seriously. We follow industry-standard practices for responsible disclosure and encourage the community to report vulnerabilities safely and privately.
If you discover a security issue, please do not open a public GitHub issue. Instead, follow the process below.
To report a security vulnerability, please email: security@openchoreo.io
Your report should include:
- A description of the issue
- Steps to reproduce (if possible)
- Potential impact
- Any suggested remediation
- Your contact information for follow-up questions
You will receive an acknowledgment within 3 business days.
Once a report is received:
- The security team reviews the issue and determines the severity.
- A fix is developed privately in a restricted branch or fork.
- Once validated, the patch is merged and released.
- Security advisories (GHSA) are published as needed.
- The reporter is credited unless they request anonymity.
We strive to resolve critical issues as quickly as possible and follow coordinated disclosure best practices.
Security fixes will be backported to:
- The latest stable release
- The previous stable minor release (if feasible)
Pre-1.0 releases (0.x) may receive fixes at the discretion of the maintainers.
Security announcements will be published through:
- GitHub Security Advisories
- Release notes
- The OpenChoreo community channels