Do not file a public GitHub issue for security vulnerabilities.
Instead, please report security issues using GitHub Security Advisories.
This allows us to assess the issue and coordinate a fix before public disclosure.
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix or mitigation | Depends on severity and complexity |
This policy covers:
- Vulnerabilities in the toolbox bootstrap scripts, manifest system, and verification pipeline
- Security issues in vendored third-party plugins (we will coordinate with upstream maintainers)
- Supply chain concerns related to
upstreams.lock.jsonpinning integrity
- Godot Engine vulnerabilities (report to the Godot project)
- Vulnerabilities in third-party plugins not vendored by this repository