Please do not open public GitHub issues for security vulnerabilities.
Preferred reporting channels:
- Email security@ottabase.com
- GitHub private vulnerability reporting (Security Advisories) for this repository
If email is unavailable, use GitHub private reporting to avoid public disclosure.
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions and components
- Potential impact assessment
- Any suggested fixes (optional)
| Stage | Timeframe |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix and disclosure | Coordinated with reporter |
| Version | Supported |
|---|---|
| latest (main) | ✅ Yes |
| older commits | ❌ No |
We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be credited in the release notes (unless they prefer to remain anonymous).
This policy applies to all packages and applications within the Ottabase monorepo. Third-party dependencies are excluded but will be escalated to their respective maintainers.