This repository provides the default security policy for Oremif projects. If a repository has its own SECURITY.md, that repository-specific policy takes precedence over this file.

Unless a repository says otherwise, security fixes are applied to the latest stable release only.

Please report security issues privately.

• Use GitHub Private Vulnerability Reporting in the affected repository whenever it is available.
• Do not open a public issue with exploit details, proof-of-concept code, or leaked secrets.
• If private vulnerability reporting is not available, open a minimal public issue requesting a private reporting channel without including sensitive details.

When reporting a vulnerability, include:

• the affected repository and version;
• a short description of the issue and its impact;
• reproduction steps or a proof of concept when safe to share privately;
• any known mitigations or workarounds.

Initial response is best effort and typically within 7 days. Oremif is maintained by a solo maintainer, so investigation and patch timelines may vary depending on severity and maintenance load.

After a fix is available, the vulnerability may be disclosed publicly through a release note, advisory, or follow-up issue.