This policy applies to repositories in this org that are under active development, especially services that handle:
- authentication and authorization
- student or instructor account data
- analytics or recommendation outputs
- file uploads, tokens, or API integrations
Do not open a public issue for security problems.
Instead:
- Use GitHub private vulnerability reporting if it is enabled for the repository.
- If private reporting is not enabled, contact the repository maintainers through a private channel already used by the project team.
- Include the affected repository, impact, reproduction steps, and any proof-of-concept details needed to validate the issue.
- affected repository and branch
- vulnerability type
- attack prerequisites
- step-by-step reproduction
- expected impact
- suggested mitigation, if known
- Initial acknowledgment target: within 5 business days
- Status updates: as investigation progresses
- Public disclosure: only after a fix or mitigation is available
- Avoid sharing secrets, tokens, or production data in reports.
- Minimize access during testing.
- Coordinate fixes for cross-repository issues before disclosure.