| title | Security |
|---|---|
| description | How to report a security vulnerability in Wickra — private disclosure via GitHub's security advisories or support@wickra.org, what to include, and what to expect. |
Found a vulnerability in Wickra? Please do not open a public issue.
Report it privately through one of:
- GitHub's private vulnerability reporting — open the affected repository's Security tab and choose "Report a vulnerability", or
- email support@wickra.org with a subject line
starting with
[wickra security].
Please include the affected repository and version (or commit), a description of the issue and its impact, and steps to reproduce — ideally a minimal proof of concept.
- An acknowledgement within 5 working days.
- An assessment and, if confirmed, a planned fix with a target release.
- Coordinated disclosure: we agree on a disclosure date with you and credit you in the release notes unless you prefer to stay anonymous.
In scope: the source code, build and release workflows, and published artifacts
of the wickra-lib repositories. Out of scope:
vulnerabilities in third-party dependencies — report those upstream; we track
them via Dependabot.
The full policy lives in the main repository's
SECURITY.md.