SecuringTheRealm is a small, part-time/open-source-adjacent project org - there's no dedicated security team, but reports are taken seriously and get a real response, not a form letter.
This policy applies to any repository under this org that doesn't have its own SECURITY.md. A few repos (templates, private tooling) may carry their own policy instead - check the individual repo first if one exists there.
Please do not open a public issue for a security problem.
Use the Report a vulnerability button under the Security tab of the affected repository (private vulnerability reporting is enabled org-wide). This keeps the report private until a fix ships.
- A read on whether it's reproducible and roughly when a fix might land, once triaged - timelines vary since this is maintained outside a day job.
- Credit in the fix notes / advisory, unless you'd rather stay anonymous.
- No bug bounty - this is a personal/small org, not a funded security programme.
Repos here generally track main / the latest release only; there's no long-term-support branch policy. If a specific repo does maintain older supported versions, that'll be called out in its own SECURITY.md.