Skip to content

Security: unoforge/uno-ui

Security

Report a vulnerability

SECURITY.md

UnoUI Security Policy

We take the security of UnoUI and its users seriously. If you believe you have found a security vulnerability, please follow the process below so we can address it promptly and responsibly.

Support Status

  • Current status: pre-release/unversioned
  • We fix vulnerabilities on the latest main branch
  • No guaranteed backports to historical commits

Reporting a Vulnerability

Please do not create a public GitHub issue or discuss vulnerabilities publicly.

Preferred reporting channel (private):

  • Use GitHub's Private Vulnerability Reporting (Security Advisories) feature:
    • Go to the repository's Security tab → "Report a vulnerability" and submit a private report to the maintainers.

If you cannot access GitHub’s Security Advisories, you may alternatively:

  • Provide a minimal, non-sensitive heads-up via a new issue titled "SECURITY: request for private contact" so a maintainer can reach out privately.

What to include

To help us triage quickly, please include:

  • A clear description of the issue and its potential impact
  • Steps to reproduce (PoC if available)
  • Affected commit/branch and environment details
  • Any suggested mitigations or fixes
  • Whether you’d like public credit upon disclosure

Our commitment and timeline

  • We will acknowledge your report within 72 hours.
  • We will provide a status update at least every 7 days until resolved.
  • Once a fix is ready, we’ll coordinate a disclosure timeline with you.

Disclosure Policy

  • We aim to release a fix before any public disclosure.
  • After a fix is published, we may publish a security advisory summarizing impact, affected commits/branches, and upgrades/workarounds.
  • We will credit reporters who wish to be acknowledged.

Scope

This policy covers security issues in this repository’s UnoUI packages and code. Vulnerabilities originating in third‑party dependencies should be responsibly disclosed to their respective maintainers; we may also coordinate if appropriate.

Safe Harbor

We support good‑faith security research. As long as you:

  • Make a good‑faith effort to avoid privacy violations, service degradation, or data destruction
  • Do not exploit a vulnerability beyond the extent necessary to prove its existence
  • Report the issue promptly through the channels above and give us reasonable time to remediate

we will not pursue legal action related to your research on this project.

There aren’t any published security advisories