This policy applies only to the public repositories listed in profile/README.md.
Private or internal systems are out of scope for public disclosure.
- Do NOT open a public issue for undisclosed vulnerabilities.
- Email:
security@alteriom.example(placeholder; replace with operational address when available). - Provide: repository name, affected files, impact overview, reproduction steps.
- Allow at least 14 days for triage and initial response.
- Schema validation bypass (e.g., incorrect TypeScript definitions allowing unsafe payloads)
- Documentation conversion script injection (malicious input producing unsafe output)
- Metadata normalization producing unintended privilege escalation (if automation expands in scope)
- Cosmetic issues (typos, formatting)
- Vulnerabilities requiring access to private repositories
- Social engineering attacks
- Triage & confirm.
- Assign severity (Low / Moderate / High).
- Develop fix and tests.
- Publish advisory and patch simultaneously.
- Credit reporter unless anonymity requested.
| Step | Target Time |
|---|---|
| Acknowledge report | 5 business days |
| Initial triage | 10 business days |
| Fix development | 30 calendar days (depends on severity) |
| Advisory publish | With patch release |
(Encryption key to be published here once available.)
Security fixes should increment patch version and reference CVE or internal advisory ID.
Last updated: 2025-10-23