Last updated: 31 July 2025

wcagUI is committed to protecting the security and privacy of our users. This document explains how we handle security issues and how you can help keep the project safe.

We follow Semantic Versioning. Only the latest patch release of each minor series receives security updates.

Note We may back‑port critical fixes to older branches on a best‑effort basis, but we encourage all users to upgrade promptly.

If you believe you have discovered a security vulnerability in wcagUI, do not open a public issue. Instead, choose one of the following private channels:

• GitHub’s “Report a Vulnerability” form, which opens a private Security Advisory.

Please include the following:

• Description of the issue and potential impact.
• Steps to reproduce or proof‑of‑concept code.
• Which versions are affected.
• Your preferred contact information and PGP key (optional).
• Whether you wish to be publicly credited.

We will coordinate a public disclosure once a patch is available and users have had reasonable time to upgrade (usually 24–48 hours). Reporters will be credited in release notes unless anonymity is requested.

This policy covers code, build scripts, and documentation within the devdojo‑it/wcag-ui GitHub organisation. Vulnerabilities in third‑party dependencies should be reported upstream unless they can be exploited solely through wcagUI.

• Vulnerabilities that require unrealistic resources (e.g., billions of requests).
• Best‑practice headers missing in demo pages or tests.
• Previously disclosed or fixed issues.

We currently do not run a paid bug‑bounty program, but we applaud responsible disclosure. Valid reports earn a place in our Security Hall of Fame and occasional swag (budget permitting).

This policy draws inspiration from the security guidelines of Kubernetes, Django, Node.js, and the GitHub default security policy.

Thank you for helping us keep wcagUI safe and accessible for everyone!