This file lives in the org-wide embeddedos-org/.github repository and is the
default SECURITY.md that GitHub surfaces for every repository in the
EmbeddedOS organisation that does not
ship its own.
Email: security@embeddedos.org
Do NOT open public GitHub issues for security vulnerabilities.
Where possible, prefer GitHub's private security advisories on the affected repo β that lets us coordinate the fix and credit you publicly on disclosure.
- Affected repository, component(s), and version(s) / commit hash
- Step-by-step reproduction instructions
- Proof-of-concept code, network capture, or crash dump (if available)
- Impact assessment (confidentiality / integrity / availability)
- Whether you intend to publish; preferred coordinated-disclosure date
Each product repository declares its own supported-version matrix in its own
SECURITY.md. As a general default for the EmbeddedOS organisation:
| Version | Supported |
|---|---|
Latest released vX.Y.Z |
β Yes |
Previous minor vX.(Y-1).Z |
π‘ Best effort, security patches only |
| Older | β No |
| Phase | Timeline |
|---|---|
| Acknowledge | 24 hours |
| Triage | 72 hours |
| Fix released | 90 days |
For 0-days under active exploitation, we will accelerate this timeline and may issue an emergency advisory ahead of the full fix.
We consider security research conducted in good faith to be authorised and will not pursue legal action against researchers who follow responsible disclosure practices outlined in this document.
Where a repo ships its own SECURITY.md, that file takes precedence over this
default for the specific component it covers. Notable per-repo policies:
We credit researchers in the affected repository's release notes (with their permission). Reach out via the email above if you would prefer a different form of acknowledgement.