# Security Policy

[![Report a Vulnerability](https://img.shields.io/badge/Report%20a%20Vulnerability-Private%20Disclosure-2ea043?style=for-the-badge)](https://github.com/rishiyaduwanshi/boiler/security/advisories/new)

## Supported Versions

Security fixes are provided on a best-effort basis for the latest code paths.

| Version | Security Support |
| --- | --- |
| Latest stable release | Yes |
| main branch | Yes |
| Older releases | No |

If you are on an older release, upgrade to the latest version before reporting or validating a fix.

## Reporting a Vulnerability

Please do not open public GitHub issues for security vulnerabilities.

We appreciate your efforts to responsibly disclose your findings.
We will make every effort to respond quickly and address concerns.

Use GitHub private vulnerability reporting:

- https://github.com/rishiyaduwanshi/boiler/security/advisories/new

Include the following details in your report:

- A clear description of the issue and impact
- Affected version, OS, and environment details
- Exact reproduction steps or proof of concept
- Any suggested remediation (optional)

## Response Process

After receiving a report, maintainers will:

1. Acknowledge receipt as soon as possible (target: within 7 business days).
2. Validate and assess severity.
3. Prepare and test a fix.
4. Coordinate disclosure and release notes.

Resolution timelines depend on complexity and maintainer availability, but critical issues are prioritized first.

## Disclosure Policy

- Please keep vulnerability details private until a fix is available.
- Once fixed, maintainers may publish a security advisory with affected versions and mitigation guidance.

## Scope

This policy covers vulnerabilities in:

- Boiler CLI source code
- Official install scripts in scripts/
- Officially maintained remote-fetching integrations

Third-party dependency vulnerabilities may need to be reported upstream in addition to this repository.