We take the security of JsonApiBundle seriously and appreciate coordinated disclosure from the community.
- Do not open a public issue.
- Submit a private report using GitHub Security Advisories so maintainers can triage confidentially.
- If you prefer email, contact the maintainers at security@alexfigures.dev. Include:
- A clear description of the vulnerability and its impact
- Steps to reproduce or a proof of concept
- Any mitigation you have identified
You will receive an acknowledgement within 48 hours. We aim to provide an initial assessment and remediation timeline within 5 business days.
| Version | Supported | Notes |
|---|---|---|
main branch |
✅ Yes | Active development branch |
| Latest minor release | ✅ Yes | Receives bug & security fixes |
| Older releases | Please upgrade to the latest release |
- Once a fix is ready, we will coordinate a release date with you.
- After publishing a release that contains the fix, we will disclose the vulnerability details and credit reporters (unless you request anonymity).
- If we do not hear back within 14 days at any stage, we may proceed with disclosure to protect the community.
Thank you for helping keep JsonApiBundle secure.