The BubuStack Team and community take all security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security vulnerability, please use the GitHub Security Advisory feature for this repository:

• https://github.com/bubustack/core/security/advisories/new

Please do not report security vulnerabilities through public GitHub issues.

When reporting a vulnerability, please provide:

• A clear description of the vulnerability and its potential impact.
• Steps to reproduce the vulnerability, including any example code, scripts, or configurations.
• The version(s) of the core module that are affected.
• Your contact information so we can coordinate a fix.

1. Report: You report the vulnerability through the GitHub Security Advisory feature.
2. Confirmation: We will acknowledge your report within 48 hours.
3. Investigation: We will investigate the vulnerability and determine its scope and impact. We may contact you for additional information during this phase.
4. Fix: We will develop a patch for the vulnerability.
5. Disclosure: We will create a security advisory, issue a CVE (if applicable), and release a new version with the patch. We will credit you for your discovery unless you prefer to remain anonymous.

Target timelines (best effort): high severity within 30 days, medium within 60, low within 90. We will keep you updated throughout the process.