3 Leaps, LLC is committed to ensuring the security of our open-source projects and supported ecosystems (e.g., fulmenhq, mdmeld, docemist). We appreciate the community's help in responsibly disclosing vulnerabilities to protect users. This policy outlines how to report issues and our process for handling them.

All reports and handling must align with our CODE_OF_CONDUCT.md.

Security updates are provided for the latest major releases of our OSS projects. For details on specific projects, check their repositories.

If you discover a potential security vulnerability, please report it privately—do not disclose it publicly (e.g., via issues or forums) until we've had a chance to address it.

• Preferred Method: Email security@3leaps.net with details, including:
  • Description of the vulnerability.
  • Steps to reproduce (e.g., affected project/version).
  • Potential impact (e.g., data exposure, denial of service).
  • Any proposed fixes or patches.
• Alternative: Use GitHub Security Advisories in the affected repository (if enabled) for private reporting.
• Encryption: If sensitive, encrypt your report using our public PGP key (available upon request).

We prioritize confidentiality and will acknowledge your report within 3 business days.

1. Acknowledgment: We'll confirm receipt and provide an initial assessment within 3 business days.
2. Triage and Validation: Our team will investigate and validate the issue, typically within 7 days.
3. Fix Development: If confirmed, we'll develop a fix. Timeline depends on severity but aims for resolution within 30 days for critical issues.
4. Coordinated Disclosure: We'll work with you on a disclosure plan. Vulnerabilities are publicly disclosed after a fix is released, or no later than 90 days from report (whichever comes first), unless mutually agreed otherwise.
5. Credit: Reporters are credited in advisories (with your permission) for responsible disclosures.

If you follow this policy in good faith (e.g., no exploitation beyond proof-of-concept), we will not pursue legal action against you. We consider this ethical security research.

For questions about this policy, contact security@3leaps.net or open a non-security issue in this repo.

This policy is subject to change. Last updated: 2025-08-04.