As an open source product, we will only provide security patches for the latest version. Older versions will not receive retroactive security patches.

1. Please do not create a public issue. Instead please email us at openatlas@craws.net.
2. Please describe the issue as detailed as possible, including steps to reproduce the vulnerability, potential impact, and any other relevant information.
3. We will acknowledge your email and will contact you to understand the issue and find a solution as quickly as possible.

We follow a disclosure process:

1. We will investigate the reported vulnerability and work on a fix.
2. A fix will be developed, tested, and incorporated into the software.
3. Once the fix is ready, we will release a new version of OpenAtlas.
4. We will notify the reporter about the fix, acknowledge their contribution in the release notes and on our website, if they wish to be credited.

OpenAtlas does not currently operate a bug bounty program. We do not offer monetary rewards for vulnerability reports.

We appreciate responsible disclosure and will acknowledge contributors in our release notes and on our website (with permission), but submitting a report does not guarantee or imply any monetary compensation.