Security fixes are applied on the latest release line published from this repository (semver tags on develop / GitHub Releases). Older tags are not maintained unless stated in a release advisory.

Do not open a public GitHub issue for security vulnerabilities.

Preferred channels:

1. Private vulnerability reporting (when enabled): use Security → Advisories → Report a vulnerability on GitHub.
2. GitHub Security Advisories for this repository: fluid-pub/probe-core security advisories.
3. If neither channel is available, contact the Fluid maintainers through your usual Fluid support or security contact path.

Include enough detail to reproduce the issue (affected version, configuration, steps, impact). We aim to acknowledge reports within a few business days and will coordinate disclosure once a fix is available.

• Confirmed issues are tracked as security advisories or private reports until a fix is released.
• Credit is given to reporters when they agree, unless anonymity is requested.
• Dependabot and CodeQL may open pull requests for dependency or static-analysis findings; those are handled like other contributions via develop.

This policy covers the probe-core Go library published from this repository and consumed as the core/ submodule by public Fluid probes. It does not cover downstream probe images, operator deployments, or third-party services you integrate with probes.