Security vulnerabilities are taken seriously. I appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them using one of the following methods:

1. Preferred: GitHub Security Advisories (recommended)

   • Go to the Security tab of this repository
   • Click "Report a vulnerability"
   • Fill out the form with details about the vulnerability

2. Alternative: Private email

   • If you cannot use GitHub's private reporting, contact the project maintainers via the contact email listed on the GitHub profile

To help us understand and resolve the issue quickly, please include:

• Description - A clear description of the vulnerability and its potential impact
• Steps to Reproduce - Detailed steps to reproduce the issue
• Proof of Concept - Code, screenshots, or logs demonstrating the vulnerability
• Impact Assessment - Your assessment of the severity and potential impact
• Suggested Fix - If you have ideas for mitigation or remediation (optional)
• Disclosure Timeline - Your preferred timeline for public disclosure

• Acknowledgement - I will acknowledge receipt of your report within 5 business days
• Updates - I will keep you informed about progress in addressing the vulnerability
• Credit - With your permission, you will be credited in any public disclosure of the vulnerability
• Timeline - The goal is to resolve critical vulnerabilities within 90 days of initial report

Please allow reasonable time to investigate and address the vulnerability before making any information public. I commit to:

• Responding promptly to your report
• Keeping you updated on progress
• Working with you to understand and resolve the issue
• Publicly acknowledging your responsible disclosure (unless you prefer to remain anonymous)

Note: As ros2_medkit is currently in early development, security updates will be applied to the main branch. Once stable releases are available, this section will be updated with specific version support information.

When using ros2_medkit in your ROS 2 system:

• Keep your ROS 2 distribution and ros2_medkit up to date
• Follow ROS 2 security best practices
• Properly configure access controls for diagnostic data
• Review and audit diagnostic configurations regularly

If you have questions about this security policy or the security of ros2_medkit, please open an issue in the repository.

Thank you for helping keep ros2_medkit and its users safe!