Moon Dance is maintained by the Bergen Open Source Foundation (BOSF). We take security seriously and value responsible disclosure to protect students, contributors, and the Bergen Community College community.

Do not report security vulnerabilities in public issues, discussions, or pull requests.

Use a private channel instead:

1. GitHub Security Advisory ("Report a vulnerability") when available for this repository.
2. BOSF maintainer channels with a clear subject line such as SECURITY: Moon Dance.

For urgent campus safety concerns, contact Bergen Community College Office of Student Life or Public Safety immediately in addition to project maintainers.

Include as much detail as possible:

• Summary of the vulnerability.
• Affected component(s) and file/path references.
• Reproduction steps or proof of concept.
• Expected impact and potential severity.
• Any known mitigations or patch suggestions.
• Your preferred contact method for follow-up.

• Initial acknowledgment target: within 3 business days.
• Triage/update target: within 7 business days.
• Validated critical/high issues are prioritized for remediation.
• Fix timeline depends on severity, complexity, and maintainer availability, with a goal of shipping urgent fixes as quickly as feasible.

• Please keep reports private until a fix or mitigation is ready.
• After remediation, maintainers may publish a public advisory/changelog note.
• We can credit reporters unless anonymous reporting is requested.

• Test only systems you own or are explicitly authorized to test.
• Avoid actions that expose private data or degrade service availability.
• Stop testing and report immediately if sensitive user data is accessed.

Use public issues for:

• Feature requests.
• General bugs without security impact.
• Documentation improvements.