We provide security updates in patch releases for supported minor releases.

Please use GitHub's vulnerability reporting mechanism - https://github.com/obot-platform/obot/security - to report any vulnerabilities.

• Include the affected version(s), environment, and impact.
• Do not open public issues for security reports.

We’ll acknowledge your report within 2 business days, provide a status update in 7 days, and aim to issue a fix or mitigation within 30 days (complex issues may take longer).

We follow coordinated disclosure:

• We work with you to validate and remediate.
• After a fix/mitigation is available, we’ll publish release notes and credit reporters who wish to be acknowledged.

Issues that impact the confidentiality, integrity, or availability of this project or its official packages/services are in scope.

Out of scope (non-exhaustive):

• Vulnerabilities requiring privileged/local access without a clear escalation path
• Deprecated or end-of-life versions
• Vulnerabilities in third-party dependencies not owned by us (please report upstream)

We will not pursue legal action for good-faith security research aligned with this policy.
Avoid privacy violations, service degradation, or data destruction. Only test against your own accounts and data.

Security fixes are shipped in patch releases. Upgrade to the latest patch of supported versions.
We may issue public advisories (GHSA/CVE) when appropriate.

With permission, we credit reporters in release notes.