Skip to content

Security: vend-com/.github

SECURITY.md

Security Policy

This security policy applies to public projects under the vend-com organization on GitHub.

Individual projects may publish their own SECURITY.md. When a project has its own policy, that policy takes precedence for that project.

Reporting a vulnerability

We welcome responsible disclosure of security vulnerabilities, and we appreciate your report.

The preferred way to report a vulnerability in one of our projects is the "Report a vulnerability" button under the "Security" tab of the project on GitHub. This opens a private channel between you and the maintainers.

If a project does not have that option enabled, or your report is not specific to a single project, email us at opensource.security@vend.com. You can also find our contact details in our responsible disclosure policy.

Please do not report a vulnerability through a public issue or pull request.

What to include

A good report helps us fix the issue faster. Where you can, include the following.

  • The project and version or commit affected.
  • A description of the vulnerability and its impact.
  • Steps to reproduce it, or a proof of concept.
  • Any suggested fix or mitigation.

Bug bounty

We run a private bug bounty program. If you submit a valid vulnerability through GitHub private vulnerability reporting, we may invite you to the program.

There aren't any published security advisories