If you discover a security vulnerability in Forge Kit, please report it responsibly.
Do not open a public GitHub issue for security-related concerns.
Instead, report vulnerabilities by emailing:
Please include:
- A description of the vulnerability
- Steps to reproduce (if applicable)
- Affected module(s) and version(s)
- Any potential impact or mitigation suggestions
We will acknowledge receipt and investigate promptly.
Forge Kit follows semantic versioning.
Only the latest released version is actively maintained for security updates. Older versions may not receive fixes.
This policy applies to:
- Source code within the Forge Kit repository
- Published Forge Kit artifacts
This policy does not apply to:
- Forks of the repository
- Downstream applications using Forge Kit
- The commercial Forge Platform (covered under separate agreements)
Forge Kit is designed with:
- Fail-closed defaults
- Explicit security boundaries
- Zero-trust assumptions
- Minimal implicit behaviour
Consumers are responsible for:
- Correct configuration
- Identity provider integration
- Secure deployment practices
Thank you for helping keep Forge Kit secure.