// ======================================================================= // // S W A O // // Sovereign Workload Assessment and Onboarding // AI-accelerated cloud workload compliance assessment // // Community Edition -- Apache 2.0 -- Security Policy // // Website : https://steady-echo-yp4z.here.now // Technical Docs: https://accenture.github.io/SWAO/en/ // Source Code : https://github.com/Accenture/SWAO // // =======================================================================

Only the latest release receives security fixes. Older versions are not patched.

Please do not report security vulnerabilities via public GitHub issues.

Report vulnerabilities privately using GitHub Security Advisories:

https://github.com/Accenture/SWAO/security/advisories/new

This creates a private channel visible only to repository maintainers. Please include:

• A description of the vulnerability
• Steps to reproduce or a proof-of-concept
• The potential impact you have identified
• Your suggested severity (Critical / High / Medium / Low)

Response SLA: We will acknowledge your report within 5 business days and provide an initial assessment. We will keep you informed as we work towards a fix.

The following are considered out of scope for this security policy:

• Theoretical vulnerabilities without a working proof-of-concept
• Issues affecting only versions that are no longer supported
• Social engineering attacks targeting project contributors or maintainers
• Vulnerabilities in third-party dependencies that have no exploitable impact on SWAO itself

Security fixes are published via:

• GitHub Releases -- release notes will indicate when a release addresses a security issue
• GitHub Discussions / Announcements -- significant vulnerabilities will be announced in the Announcements category