Status: canonical
Purpose: define how vulnerabilities and security-sensitive issues must be reported for the Vida Stack repository.
Do not open a public GitHub issue for vulnerabilities, secrets exposure, supply-chain compromise, or other security-sensitive findings.
Use private reporting instead.
Send a private report to the repository maintainer through the primary repository contact path.
A useful report should include:
- affected component or path,
- reproduction steps when safe to share,
- impact summary,
- version or commit context,
- any mitigation already known.
Best effort is made to:
- acknowledge the report,
- assess impact,
- decide whether the issue requires immediate containment, patching, or coordinated disclosure,
- publish a fix or mitigation path when appropriate.
No public response timeline is guaranteed in this early repository phase.
This policy applies to:
- released binaries and install surfaces,
- repository automation,
- dependency or supply-chain exposure,
- runtime command and state-handling vulnerabilities,
- credential or secret leakage in repository-controlled surfaces.
artifact_path: project/repository/security artifact_type: repository_doc artifact_version: '1' artifact_revision: '2026-03-12' schema_version: '1' status: canonical source_path: SECURITY.md created_at: '2026-03-12T10:30:00+02:00' updated_at: '2026-03-12T08:04:26+02:00' changelog_ref: SECURITY.changelog.jsonl