This is the default security policy for RampStack's public repositories. Individual repositories may publish a more detailed policy that takes precedence.

Report security issues privately through GitHub's private vulnerability reporting on the affected repository (Security tab, then Report a vulnerability). If you cannot use that, email security@rampstack.co.

Include the affected repository, a description of the issue, and reproduction steps if you have them. Do not open a public issue or PR for a security report.

We aim to acknowledge a report within 3 business days and to agree a disclosure timeline with the reporter.