If you discover a security vulnerability in this repository, we would appreciate it if you could report it to us responsibly. Please follow the instructions below to ensure your report is handled promptly.

Before reporting a vulnerability, please take a moment to review the following guidelines:

• Check for Known Issues: Ensure that the vulnerability you are reporting is not already known or being addressed. You can do this by reviewing the repository's issue tracker and recent commits.
• Use a Test Environment: If possible, verify the vulnerability in a test environment to avoid any potential disruption to production systems.
• Respect Privacy: Do not include any sensitive information (e.g., personal data, credentials) in your report.

To help us understand and address the issue efficiently, please use the following format when reporting a vulnerability:

• Title: A brief and descriptive title for the vulnerability.
• Summary: A concise summary of the vulnerability and its potential impact.
• Details: A detailed description of the vulnerability, including steps to reproduce, affected components, and any relevant logs or screenshots.
• Mitigation: Any suggestions or recommendations for mitigating the vulnerability.
• Contact Information: Your preferred contact information in case we need further details or clarification.

By following these guidelines, you will help us address security issues more effectively and ensure the safety of our users.

1. Email us: Send a detailed report to our security team at BPH.Dev@gov.bc.ca

2. Include the following details in your report:

   • Description: A detailed description of the vulnerability, including what it is, how it can be exploited, and any other relevant details.
   • Reproduction Steps: Clear and concise steps to reproduce the issue.
   • Impact: A description of the potential impact of the vulnerability, such as unauthorized access, data leakage, etc.
   • Proof of Concept (Optional): If applicable, please provide a proof of concept demonstrating the issue (optional).
   • Environment: Any relevant environment details (e.g., version of the software, operating systems, or configurations involved in the issue).
   • Severity Level: If you can, indicate whether the vulnerability is critical, high, medium, or low.

3. What happens next:

   • We will acknowledge the receipt of your report within 24 hours.
   • We will work with you to validate and resolve the issue as quickly as possible.
   • If needed, we will coordinate a public disclosure of the vulnerability once it has been fixed.

We follow a responsible disclosure policy. Please do not publicly disclose the details of the vulnerability until it has been resolved. This gives us a chance to address the issue and protect users of the software.

Security patches and updates will be provided in a timely manner for any critical vulnerabilities. The update process will be communicated through relevant channels (e.g., GitHub releases, issue tracker).

• Code of Conduct: Please be respectful and considerate when communicating security vulnerabilities. We value constructive feedback.
• Security Practices: We adhere to industry best practices for software security, including regular security audits, automated testing, and dependency management.

We appreciate any help in making this repository more secure. All contributors to security improvements will be properly acknowledged in our release notes or in a security changelog.