Any Github authenticated user is allowed to to publish private vulnerability through the Github security vulnerability process

The locally published security report is kept private as long as:

• the vulnerability has been assessed
• the security fix is not written and reviewed
• a new release has not been delivered including the security fix

The security embargo is 90 days so that project maintainers can fix, test and deliver fixes.

The report author is free to reserve an associated CVE entry as soon as the embargo is respected.

For any questions and to inform the maintainers of the vulnerability existence, please contact outpost-os team.

By now, as the v1.0.0 version is not delivered, security fixes must match a vulnerability still present on main head.

As soon as the first Sentry >=1.0.0 release is delivered, vulnerabilities can also target the LTS defined releases (if they exist) and last stable releases.