This repository is maintained by TypeFox as open source software.

We take security vulnerabilities seriously and aim to handle reports in a responsible and coordinated manner.

This policy applies to vulnerabilities in the source code and published artifacts of this repository.

Security fixes are generally provided for the latest released version.

Older versions may receive fixes at our discretion, depending on severity and feasibility.

If you believe you have discovered a security vulnerability, please report it privately using GitHub’s vulnerability reporting feature:

🛡️ Security → Report a vulnerability

This creates a confidential security advisory visible only to maintainers.

Please do not open public issues, discussions, or pull requests for security vulnerabilities.

When submitting a report, please include:

• A clear description of the issue
• Affected version(s)
• Steps to reproduce (if applicable)
• Potential impact
• Any relevant logs or proof-of-concept code (if available)

Providing detailed information helps us triage and resolve the issue more efficiently.

After receiving a report:

• We will assess whether the issue qualifies as a security vulnerability.
• We may request additional information if needed.
• If confirmed, we will prepare a fix or mitigation where feasible.
• We aim to coordinate disclosure responsibly and avoid unnecessary exposure before a fix is available.

Security fixes are documented in release notes. Where appropriate, a security advisory will be published through GitHub.

This project follows general secure development practices, including:

• Code review for all changes
• Controlled release processes
• Responsible dependency management

Where applicable, we align with recommendations from the Eclipse Security Handbook.