Pipeline Sentinel takes security seriously.
We appreciate your help in keeping the project and its users safe.

Please do not open a public issue for security vulnerabilities.

To report a vulnerability, send an email to:

📧 70381337+Mehrdoost@users.noreply.github.com

We will acknowledge your report within 48 hours and provide an initial assessment within 5 working days.
We kindly ask you to keep the issue confidential until a fix is released.

Only the following versions receive security updates:

We strongly recommend always running the latest release.

To help us reproduce and understand the issue, please include:

• A clear description of the vulnerability
• Steps to reproduce (code, screenshots, environment details)
• The potential impact (data leak, privilege escalation, etc.)
• Any suggested mitigations or fixes

1. Report – The vulnerability is reported privately.
2. Triaging – The maintainers confirm the issue and assess severity.
3. Development – A fix is prepared in a private fork.
4. Release – A new release containing the fix is published.
5. Advisory – A public advisory is issued via GitHub Security Advisories, crediting the reporter (with permission).

We aim to release fixes for critical issues within 7 days.

This policy covers the Pipeline Sentinel codebase and its official releases.
Issues in third‑party dependencies should be reported to the respective projects; however, we will assist where possible.

We will not pursue legal action against anyone who:

• Makes a good‑faith effort to follow this policy
• Avoids data destruction, denial of service, or privacy violations during testing
• Reports the vulnerability promptly

We consider such research as a valuable contribution to the community.

With your permission, we will publicly thank you in the advisory and in our release notes.
We are also open to including you in a security hall of fame (planned).

Thank you for helping keep Pipeline Sentinel secure.