Dosu Logo
Ask
Documents
SECURITY
SECURITY
Type
External
Status
Published
Created
Jun 13, 2026
Updated
Jun 13, 2026
Source
View

Security Policy#

Supported Versions#

BranchSupported
main (active development)✅ Active development
lts✅ Security fixes
Older releases

Reporting a Vulnerability#

Please use GitHub Private Vulnerability Reporting to report security issues.

This ensures your report is handled confidentially before public disclosure.

Do not open a public GitHub issue for security vulnerabilities.

What to include#

  • Description of the vulnerability and its potential impact
  • Steps to reproduce or proof-of-concept
  • Affected versions/streams
  • Any suggested mitigations (optional)

Response Timeline#

StageTarget
Initial acknowledgment48 hours
Assessment complete7 days
Fix/mitigation delivered30 days (critical), 90 days (high/medium)
Public disclosureAfter fix ships to :lts

Disclosure Policy#

We follow coordinated disclosure. Reporters are credited in the release notes unless they request anonymity. We will not take legal action against researchers who follow this policy.

Scope#

This policy covers the projectbluefin/bluefin-lts OCI image build pipeline, including:

  • Containerfile and build scripts in build_files/
  • GitHub Actions workflows in .github/workflows/
  • Supply chain: base image pinning, COPR repos, binary downloads
  • cosign signing and image integrity

Out of scope: Third-party packages bundled in the image (report upstream), Flatpaks (report to Flathub), Homebrew packages (report to upstream tap).