Security fixes are handled on the default branch and the latest public release line.
Do not open a public issue for suspected vulnerabilities, secrets, tokens, or exploit details.
Report vulnerabilities through GitHub private vulnerability reporting: https://github.com/krotname/CompanyStatusChecker/security/advisories/new
Include:
- affected version or commit,
- reproducible request flow,
- example payloads and logs with secrets redacted,
- impact assessment,
- suggested mitigation if available.
The maintainer aims to acknowledge valid reports within 48 hours and provide a remediation timeline after the impact is confirmed.
Do not commit API keys, tokens, credentials, or production-like secrets in code, tests, fixtures, or documentation.