If you discover a security vulnerability in ShieldBOM, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please open a GitHub Security Advisory
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity, but we aim for patches within 30 days for critical issues
This policy covers the ShieldBOM CLI tool and its dependencies. Issues in upstream vulnerability databases (NVD, OSV) should be reported to those projects directly.
| Version | Supported |
|---|---|
| 0.1.x | Yes |