The security of our project and its users is a priority. This document explains how to report vulnerabilities and what to expect when interacting with our team about security concerns.

We provide security updates for the following versions of the project:

If you are using an older version, we recommend updating to the latest version to ensure better security and support.

If you identify a security vulnerability, please report it by opening an issue in the project's repository.

When reporting a vulnerability, include the following information in your report:

1. A detailed description of the vulnerability.
2. Clear steps to reproduce the issue.
3. Potential impacts or exploitation scenarios.
4. Suggestions to mitigate the issue (if applicable).

We commit to:

• Acknowledging receipt of your report within 48 hours.
• Working to understand and resolve the issue as quickly as possible.
• Notifying you once a solution is implemented and published.

This project focuses primarily on open hardware and related tools. We consider the following vulnerabilities relevant:

• Security flaws in firmware or hardware design.
• Issues related to build pipelines, repositories, or deployment tools.
• Backdoors or unintended vulnerabilities in open-source tools used by the project.

Once a vulnerability is reported and confirmed, the following process will be followed:

1. Acknowledgment of the issue within 48 hours.
2. Analysis and validation of the reported vulnerability.
3. Development of an appropriate fix or mitigation.
4. Release of a patch, followed by a public explanation (if necessary).

Our goal is to release fixes as quickly as possible, taking into account the severity and complexity of the issue.

If you have any questions about this policy or need additional clarification, contact us through the issues section in the repository.