The Packmind team takes the security of our software and infrastructure seriously. We appreciate the efforts of security researchers and the community in helping us maintain a secure project.

We provide security updates for all Packmind versions.

Security updates are applied to the main branch and released as soon as possible after verification.

We use GitHub's Security Advisories for receiving and managing security vulnerability reports. This ensures that sensitive information remains private until a fix is available.

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill out the advisory form with as much detail as possible

Please report any security issues related to:

• Codebase vulnerabilities: Authentication bypasses, injection flaws, XSS, CSRF, insecure dependencies, etc.
• Infrastructure and deployment issues: Container security, configuration vulnerabilities, exposed secrets, etc.

To help us triage and address the issue quickly, please include:

• Description: Clear explanation of the vulnerability
• Impact: What an attacker could achieve
• Steps to reproduce: Detailed instructions to verify the issue
• Affected components: Which parts of the system are vulnerable
• Suggested fix (optional): Your recommendation for remediation
• Proof of concept (optional): Code or screenshots demonstrating the issue

• Acknowledgment: Within 6 hours of submission
• Initial assessment: Within 24 hours
• Resolution: Within 3 days for critical issues, longer for lower severity

We will keep you informed throughout the process and credit you in the security advisory (unless you prefer to remain anonymous).

1. Verification: We confirm and assess the vulnerability
2. Fix development: We develop and test a patch
3. Advisory publication: We publish a GitHub Security Advisory
4. Release: We release the fix in a new version
5. Notification: We notify users through GitHub releases and advisories

We follow a coordinated disclosure process:

• Please give us a reasonable time to address the issue before public disclosure
• We will work with you to understand the issue and develop a fix
• We will credit you in the security advisory (unless you prefer anonymity)
• We will not pursue legal action against researchers who follow this policy

The following are generally considered out of scope:

• Vulnerabilities in dependencies that are already publicly known
• Issues that require physical access to a user's device
• Social engineering attacks
• Denial of service attacks

While we do not offer a bug bounty program, we deeply appreciate the security community's contributions. Researchers who report valid security issues will be:

• Credited in the security advisory
• Acknowledged in our release notes
• Listed in our security acknowledgments (if desired)

If you have questions about this policy or need to discuss a security concern that doesn't fit the reporting process above, please open a discussion in the Discussions tab.

Thank you for helping keep Packmind and our users safe!