We take security seriously and appreciate responsible disclosures.
If you believe you’ve found a vulnerability, please follow the process below.

We currently provide security fixes for the latest minor release and the main branch.

Note: This project is pre-1.0; interfaces may evolve quickly. Please upgrade to the latest release before reporting issues when possible.

Do not open a public issue.
Instead, choose one of the following private channels:

1. GitHub Security Advisory (preferred):
   Create a private report via Security → Advisories → Report a vulnerability in this repo.
2. Email:
   Send details to baris.sayli@gmail.com with the subject SECURITY: <short summary>.

Please include:

• A clear description of the issue and potential impact.
• A minimal proof-of-concept (PoC) or steps to reproduce.
• Affected version(s) (commit hash or tag) and environment details.
• Any suggested remediation ideas if you have them.

We aim to respond in a timely and transparent way, keeping you informed throughout key stages.

• Acknowledgement: typically within a few days after receiving a report.
• Triage & Reproduction: investigated as soon as practical based on severity.
• Fix Planning: prioritized according to impact and complexity.
• Release: patches are published once validated; coordinated disclosure may be used for sensitive issues.

We’ll keep reporters informed at major milestones such as triage results, fix readiness, and release timing.

We use a pragmatic CVSS-like approach:

• Critical/High: RCE, auth bypass, or issues enabling widespread compromise.
• Medium: Information disclosure, privilege/DoS limited to a single service.
• Low: Hardening gaps, misconfigurations, limited-edge misuse.

Severity influences prioritization and disclosure timing.

• We prefer coordinated disclosure. Please do not share details publicly until a fix is available.
• With your consent, we’re happy to credit reporters in release notes (name/handle).

In scope

• customer-service (server / OpenAPI producer)
• customer-service-client (generated client & overlays)
• Templates, schema customizers, and build instructions contained in this repo

Out of scope

• Vulnerabilities exclusively within third-party dependencies (report upstream first)
• Demo/test-only code that is not used in production contexts
• Deployment-specific misconfigurations outside the repo

To focus on impactful issues, we generally exclude:

• Best-practice suggestions without a practical exploit scenario
• Rate limiting / generic DoS without a novel exploit
• Missing security headers in dev/demo endpoints
• Social engineering or physical attacks

If you’re unsure whether something qualifies, email baris.sayli@gmail.com and we’ll help triage.

Thank you for helping keep the community safe! 🙏