This is the organization-wide security policy for Floe Labs. It applies to all Floe-Labs projects (public and private) that do not define their own SECURITY.md. A repository that ships its own policy overrides this default.

For each actively-maintained Floe-Labs package, only the latest released version is supported with security fixes. Please upgrade to the latest version before reporting an issue.

Do not open a public GitHub issue for security vulnerabilities.

Report them privately by email to security@floelabs.xyz. If you do not get a response, use hello@floelabs.xyz as a fallback contact.

Please include:

• the affected project (repository and package),
• a description of the vulnerability and its impact,
• steps to reproduce (a minimal proof of concept helps),
• the affected version.

• We aim to acknowledge your report within 3 business days.
• We will keep you updated on our assessment and the fix.
• Please give us a reasonable window to release a fix before any public disclosure.

Thank you for helping keep Floe Labs projects and their users safe.