This project follows Semantic Versioning (SemVer), but does not provide guaranteed security support for specific versions.

Security fixes are applied on a best-effort basis, typically to the latest released version. Users are strongly encouraged to stay up to date.

All suspected security vulnerabilities must be reported via GitHub Security Advisories.

➡️ Submit a report here: https://github.com/aliansoftwareteam AlianHub-Project-Management-System/security/advisories/new

Please include the following information (all are required):

• A clear summary of the suspected vulnerability
• Detailed explanation of the issue and what it can access or affect
• Proof of Concept (PoC)
  • Code samples are required
  • A reproduction video is optional
  • The PoC must demonstrate real impact (e.g. access to sensitive data). Simple alert popups or theoretical issues may not be considered valid vulnerabilities.
• Impact assessment (who is affected and how)

Optionally, you may include an estimated CVSS score. CVE requests may be handled by the maintainers when appropriate.

• You can expect an initial response within 72 hours on a best-effort basis
• The maintainers will validate the report and assess severity
• If confirmed, a fix will be developed and released as soon as reasonably possible, depending on complexity and impact

We follow a responsible disclosure process. Details of confirmed vulnerabilities will not be publicly disclosed until a fix is available and users have had reasonable time to upgrade.

Before any public disclosure (blog posts, talks, social media, etc.), reporters are expected to coordinate with the maintainers to avoid premature or harmful disclosure.

For eligible vulnerabilities, the maintainers may request a CVE through GitHub’s advisory process. Not all issues will receive a CVE.

Once a fix is released:

• A security advisory will be published
• Disclosure details may follow after an appropriate waiting period, depending on severity

1. Vulnerability submitted via GitHub Security Advisory
2. Initial review and validation by maintainers
3. Severity assessment and fix planning
4. Patch development and verification
5. Advisory update and coordinated release
6. Public disclosure after users have time to upgrade

This project does not offer bug bounties or rewards for vulnerability reports.