| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do NOT open public GitHub issues for security vulnerabilities.
If you discover a security vulnerability in any repository under the openjobspec organization, please report it responsibly by emailing:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected repository and version
- Potential impact assessment
- Any suggested fixes (if applicable)
- Acknowledgment: Within 48 hours of your report
- Assessment: Within 7 days we will provide an initial assessment
- Resolution: We aim to release a fix within 30 days of confirmation
We follow a coordinated disclosure process:
- Reporter submits vulnerability privately via email
- We acknowledge receipt and begin investigation
- We develop and test a fix
- We release the fix and publish a security advisory
- Reporter is credited (unless they prefer anonymity)
We ask that you allow up to 90 days from initial report before public disclosure, to give us time to develop and release a proper fix.
This security policy applies to all repositories under the openjobspec GitHub organization.
We believe in recognizing the efforts of security researchers. With your permission, we will acknowledge your contribution in the security advisory and release notes.
If you are implementing an OJS-compliant backend or SDK, please review the security considerations in the Core Specification and ensure your implementation follows the recommended practices for authentication, authorization, and input validation.