You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/architecture/Security Model & Features.md
+29-6Lines changed: 29 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -120,16 +120,39 @@ OpenCore provides comprehensive audit capabilities to meet regulatory and compli
120
120
121
121
---
122
122
123
-
##Vulnerability Management & Security Notices
123
+
# Vulnerability Management & Security Policy
124
124
125
-
Staying up to date with security fixes is critical.
125
+
## Reporting a Vulnerability
126
+
127
+
If you discover any security issues, please let us know by one of the following methods:
128
+
129
+
-**GitHub Private Security Advisories**
130
+
Submit a private advisory on this repository.
131
+
-**Email**
132
+
Send an email to **security@openiap.io**.
133
+
134
+
We aim to acknowledge all valid reports within **48 hours**.
135
+
136
+
## Supported Versions
137
+
138
+
We actively provide security fixes for the **two most recent major releases**.
139
+
If you’re running an older version, please upgrade to continue receiving important updates.
140
+
141
+
## Security Updates
126
142
127
143
-**GitHub Security Advisories**
128
-
Subscribe to the OpenCore repository if you want to be update on security and bug fixes.
144
+
Subscribe to be notified of any published advisories.
129
145
-**Dependabot & Automated Scans**
130
-
We use dependabot and github automated Security and code scanning. And we prefere people use github's "Private vulnerability reporting" feature to report vulnerabilities.
131
-
-**Disclosure Policy**
132
-
Alernatively, you can report vulnerabilities via security at openiap.io. Our team typically responds within 48 hours, if the report has a real security vulnerabilities and will send out public advisory for paying customers in case for seriuse issues, that need patching. We do not offer bounty programs at this time.
146
+
We use Dependabot and GitHub’s code-scanning tools to catch vulnerabilities early.
147
+
-**Third-Party Review & Penetration Testing**
148
+
We engage with independent auditors—hired by organizations using our platform—to perform annual code reviews and active penetration tests.
149
+
150
+
## Disclosure & Bounty
151
+
152
+
- Public disclosure is encouraged once a fix is available.
153
+
- We do **not** currently run a paid bug-bounty program.
0 commit comments