We support the latest release of each repository on the main branch. Older branches and tagged releases are patched on a best-effort basis.
Please do not open a public GitHub issue for security vulnerabilities.
Report security issues privately via one of the following:
- Preferred: Private vulnerability reporting on the affected repository.
- Email: security@envisionconstruction.com — PGP key available on request.
Include, if possible:
- Repository and branch/commit affected
- A reproducible proof of concept
- Impact assessment (what can an attacker do?)
- Any suggested remediation
| Stage | SLA |
|---|---|
| Acknowledgement | within 2 business days |
| Initial triage + severity rating | within 5 business days |
| Fix or mitigation plan | within 30 days for critical, 90 days for high/medium |
| Public disclosure (coordinated) | after fix is deployed |
In scope:
- All repositories under the Envision-Construction organization
- Deployed services under
*.envisionconstruction.comand*.envsn.com - Official NPM and PyPI packages published by Envision
Out of scope:
- Social engineering of employees or contractors
- Physical attacks against Envision infrastructure
- Denial-of-service attacks (please do not test in production)
- Third-party services we integrate with (report to them directly)
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities promptly through the channels above
- Do not exploit the issue beyond what is necessary to demonstrate it
- Give us a reasonable time to remediate before disclosure
Thank you for helping keep Envision and our customers safe.