Our team and the broader organization at Open Source w/ SLU is committed to providing safe and secure software products as part of our mission to contribute to open science and the broader Open Source ecosystem. We thank all of our contributors and collaborators, both within and outside the organization, for helping us achieve this goal.

To report a vulnerabilty on one of our projects, please use Github's Security Advisory, following the formatting provided. Please make sure the projects that are affected are included, and if the vulnerability is a public exploit, please include references to the discloure. A CVE number may also assist with determining the scope and impact of a vulnerability. Upon submitting the Security Advisory, a member of the Cybersecurity team will reach out to gather any more information, after which we will coordinate with the product team to apply a fix. Please do not post the vulnerability in the issues page! We have an internal method for tracking the status of vulnerability reports and we will make a report once we are certain the vulnerability has been patched (citing the initial reporter unless you wish to remain anonomyous). But until we make a report, we ask that you refrain from publicly disclosing the vulnerability.

Currently the Github Security Advisory is the only public-facing method to privately disclose a vulnerability to the Cybersecurity team. We will update this document should another method become available/preferred.