This security policy applies to public projects under the Kit organization on GitHub.
If you discover a security vulnerability, please report via any of the below:
Please do not report security issues publicly via GitHub issues or discussions. Security reports sent via the above channels be acknowledged within 48 hours.
When reporting a security vulnerability, please include:
- Description - A clear description of the vulnerability
- Impact - What kind of vulnerability it is and who it impacts
- Reproduction - Detailed steps to reproduce the issue
- Proof of Concept - If applicable, include proof-of-concept code
- Suggested Fix - If you have ideas for how to fix the issue
- Initial Response: Within 48 hours of receiving the report
- Investigation: We will investigate and validate the reported vulnerability
- Fix Development: Development of a patch or mitigation strategy
- Release: Coordinated disclosure and release of security update
- Public Disclosure: After users have had time to upgrade