This security policy applies to public projects under the vend-com organization on GitHub.
Individual projects may publish their own SECURITY.md. When a project has its own policy, that policy takes precedence for that project.
We welcome responsible disclosure of security vulnerabilities, and we appreciate your report.
The preferred way to report a vulnerability in one of our projects is the "Report a vulnerability" button under the "Security" tab of the project on GitHub. This opens a private channel between you and the maintainers.
If a project does not have that option enabled, or your report is not specific to a single project, email us at opensource.security@vend.com. You can also find our contact details in our responsible disclosure policy.
Please do not report a vulnerability through a public issue or pull request.
A good report helps us fix the issue faster. Where you can, include the following.
- The project and version or commit affected.
- A description of the vulnerability and its impact.
- Steps to reproduce it, or a proof of concept.
- Any suggested fix or mitigation.
We run a private bug bounty program. If you submit a valid vulnerability through GitHub private vulnerability reporting, we may invite you to the program.