Please report security vulnerabilities privately, not through public issues.
- Preferred: open a private advisory at https://github.com/RunTimeAdmin/sbomix/security/advisories/new
- Email: hello@sbomix.com
Include the affected version, a description, and reproduction steps. We aim to acknowledge reports within 3 business days and will coordinate a disclosure timeline with you after triage. Please give us a reasonable window to ship a fix before disclosing publicly.
Security fixes are provided for the latest published release of the sbomix npm
package and the RunTimeAdmin/sbomix@v1 GitHub Action.
This policy covers the SBOMix CLI, the GitHub Action, and the hosted API at api.sbomix.com.