| Version | Supported |
|---|---|
| 0.x | ✅ |
Do not open a public issue for security vulnerabilities.
Instead, please report them via GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form with details about the vulnerability
Alternatively, email security@opentabletop.org with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: Depends on severity; critical issues targeted within 14 days
This policy covers:
- The OpenAPI specification (
spec/) - Reference server implementation (
reference/) - Official SDKs (
sdks/) - CI/CD pipelines and infrastructure
We follow coordinated disclosure. We will work with reporters to agree on a disclosure timeline, typically 90 days from the initial report.