# Security Policy ## Reporting Security Issues We take the security of our project seriously. If you believe you have found a security vulnerability, please report it to us privately. **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** > **Important Note**: Any code within the `classic/` folder is considered legacy, unsupported, and out of scope for security reports. We will not address security vulnerabilities in this deprecated code. Instead, please report them via: - [GitHub Security Advisory](https://github.com/dataelement/bisheng/security/advisories/new) ### Reporting Process 1. **Submit Report**: Use one of the above channels to submit your report 2. **Response Time**: Our team will acknowledge receipt of your report within 14 business days. 3. **Collaboration**: We will collaborate with you to understand and validate the issue 4. **Resolution**: We will work on a fix and coordinate the release process ### Disclosure Policy - Please provide detailed reports with reproducible steps - Include the version/commit hash where you discovered the vulnerability - Allow us a 90-day security fix window before any public disclosure - Share any potential mitigations or workarounds if known ## Supported Versions Only the following versions are eligible for security updates: | Version | Supported | |---------|-----------| | Latest release on master branch | ✅ | | Development commits (pre-master) | ✅ | | Classic folder (deprecated) | ❌ | | All other versions | ❌ | --- Last updated: November 2024