This policy applies to all repositories under the github.com/yeoman organization.

We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues. Please follow the guidelines below to report any security issues privately.

If you discover a security vulnerability, it is crucial that you do not create a public issue under any circumstances. Public issues can inadvertently expose the vulnerability, potentially leading to exploitation before a fix is available.

Instead, please report the vulnerability via the GitHub Security Advisory for the relevant repository. This private channel ensures only maintainers can access the details, enabling a timely and secure resolution. We fully utilize the capabilities that the GitHub Security Advisory platform provides, including private communication channels and coordinated disclosure options.

If you are unable to use the GitHub Security Advisory for any reason, you may report the issue via email to [email protected]. If you would like to encrypt sensitive information, please use our PGP key, available at: https://github.com/ulisesgascon.gpg

When sending an email, please include:

• Steps to reproduce the issue.
• A description of the vulnerability and its potential impact.
• Any supporting information or proof of concept.

We also support Coordinated Vulnerability Disclosure (CVD). By following this process, we can collaborate on fixes and ensure vulnerabilities are not publicly disclosed until they are properly addressed.

Do not create a public issue to report a security vulnerability. This is to protect both the project and its users from potential exploitation before the issue is resolved.

• We aim to acknowledge receipt of your report within 2–5 working days.
• We will keep you informed of our progress as we investigate and work on fixes.
• In general, we strive to fix or otherwise address confirmed vulnerabilities within 30 days, though timelines may vary depending on severity and complexity. We will coordinate with you regarding public disclosure once a fix is available or mitigation is in place.
• Please do not publicly disclose details of the vulnerability until we have confirmed a fix or provided approval, to ensure the security of our users.

We appreciate and value the contributions of security researchers who take the time to responsibly disclose vulnerabilities. We can acknowledge your contribution (with your permission) once the fix is published, or you may remain anonymous if you prefer.

Thank you for helping us maintain a secure environment across all Yeoman repositories!