We release patches for security vulnerabilities. The following versions are currently being supported with security updates:
| Version | Supported |
|---|---|
| Latest | ✅ |
We take the security of AWOS seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the manifestation of the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
After you submit a vulnerability report, we will:
- Acknowledge receipt of your vulnerability report within 48 hours
- Provide an estimated timeline for when you can expect a response indicating next steps
- Keep you informed of the progress towards a fix and full announcement
- Credit you for the discovery (if you wish) when we publicly disclose the vulnerability
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported releases
- Release new security patch versions as soon as possible
When using AWOS in your projects:
- Keep AWOS updated to the latest version
- Review generated code before committing to production
- Be cautious when using AI-generated code with sensitive data
- Follow secure coding practices in your project
- Regularly update your dependencies
This security policy applies to:
- The AWOS framework code
- Official AWOS documentation
- Installation scripts and tooling
If you have suggestions on how this policy could be improved, please submit a pull request or open an issue.