Wolfy Open Source is committed to maintaining a secure, reliable, and production-grade engineering ecosystem. Security is treated as a core system requirement, not an optional feature.

This document defines how security vulnerabilities should be reported, handled, and resolved across all repositories under the organization.

Security updates are provided only for actively maintained versions of repositories.

Maintainers may define additional version support per repository when required.

If you discover a security vulnerability, do NOT disclose it publicly.

Instead, report it responsibly through one of the following channels:

• GitHub Security Advisories: https://github.com/wolfy-online/.github/security/advisories

• Contact mailto:support@wolfy.online

• Report via repository-specific SECURITY.md instructions (if available)

To help us validate and resolve the issue efficiently, include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Affected component or repository
• Potential impact assessment
• Suggested mitigation (if available)

The more precise the report, the faster it can be addressed.

We aim to follow a structured response process:

• Acknowledgement: within 48–72 hours
• Initial assessment: within 5–7 working days
• Fix development: depends on severity and system impact
• Release of patch: as soon as stable resolution is validated

Critical vulnerabilities may be prioritized immediately.

Once a vulnerability is confirmed:

• It is assigned a severity level (Low / Medium / High / Critical)
• A fix is developed in a private branch
• Testing is performed before public release
• A patched version is deployed or released
• Security advisory is published (if applicable)

We request all security researchers and contributors to:

• Avoid public disclosure until a fix is released
• Avoid exploiting the vulnerability beyond proof-of-concept testing
• Coordinate with maintainers during investigation

Responsible disclosure helps protect users and maintain system integrity.

The following are generally considered out of scope:

• Denial of Service (DoS) via excessive requests without exploit chain
• Issues in outdated or unsupported dependencies
• Vulnerabilities requiring physical access
• Social engineering attacks
• Self-inflicted misconfiguration issues

However, any issue with significant security impact may still be reviewed.

All contributors are expected to follow secure development practices:

• Validate and sanitize all inputs
• Avoid exposing sensitive data in logs
• Follow principle of least privilege
• Use secure authentication and authorization patterns
• Keep dependencies updated
• Avoid hardcoded secrets or credentials

Wolfy aligns with widely accepted security engineering standards:

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
• GitHub Security Best Practices: https://docs.github.com/en/code-security
• Responsible Disclosure Guidelines: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

This policy applies to:

• All repositories under Wolfy Open Source Organization
• All services, APIs, and infrastructure components
• All contributors, maintainers, and external reporters

Security is a foundational pillar of Wolfy Open Source Organization.

We appreciate the efforts of security researchers and contributors who help improve the safety and reliability of our ecosystem through responsible disclosure and collaboration.