Do not open a public issue for security vulnerabilities.

Use the GitHub Security Advisories feature in the affected repository to report vulnerabilities privately:

1. Navigate to the affected repository (e.g., https://github.com/php-forge/<package>).
2. Go to the Security tab.
3. Click Report a vulnerability.
4. Provide a detailed description including steps to reproduce, impact, and any suggested fix.

For more information, see Privately reporting a security vulnerability.

Security fixes are applied to the latest release of each package. Older versions do not receive security updates.

• Acknowledgment: Within 48 hours of the report.
• Assessment: Within 7 days, an initial assessment and plan of action.
• Fix and disclosure: A fix is developed, tested, and released before public disclosure.

This policy applies to all repositories under the php-forge organization.