This is a default, organization-wide security policy for OctalMesh repositories. It applies to repositories that do not provide their own SECURITY.md.
If you discover a security vulnerability, do not open a public issue, discussion, or pull request. Instead, report it privately:
- Email: security@octalmesh.com (preferred)
- Or contact a core organization maintainer directly
- Description of the issue
- Affected component(s) or service(s)
- Repository and file paths involved
- Steps or conditions required to reproduce the issue
- Potential impact
- Suggested mitigation, if available
Incomplete reports are still welcome, but detailed reports allow faster and more accurate triage.
- English
- Ukrainian
- Russian
We aim to follow this process:
- Acknowledgement: within 48 hours
- Initial assessment: within 5 business days
- Fix & disclosure: as soon as reasonably possible
Timelines may vary depending on severity and complexity.
This default policy applies to:
- Source code, workflows, and configurations in repositories without their own security policy
- Organization-wide templates and shared configuration
Application-specific vulnerabilities should be reported according to the SECURITY.md of the affected repository. Third-party services and dependencies follow their own security policies.