Email security@openseo.dev. Do not open a public issue.

Include:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment (what an attacker could do)

• We aim to acknowledge reports within 48 hours.
• We will provide a fix timeline within 7 days.
• Critical vulnerabilities will be patched as soon as possible.

Only the latest release on main is supported with security fixes.

This policy covers the OpenSEO application and its official Docker images. Third-party integrations, hosting infrastructure, and AI provider APIs are the operator's responsibility.