This is the default security policy for RampStack's public repositories. Individual repositories may publish a more detailed policy that takes precedence.
Report security issues privately through GitHub's private vulnerability reporting on the affected repository (Security tab, then Report a vulnerability). If you cannot use that, email security@rampstack.co.
Include the affected repository, a description of the issue, and reproduction steps if you have them. Do not open a public issue or PR for a security report.
We aim to acknowledge a report within 3 business days and to agree a disclosure timeline with the reporter.