MeridianAlgo is committed to maintaining the security and integrity of our open-source projects. We take security vulnerabilities seriously and encourage responsible disclosure.

The following versions of our projects are currently supported with security updates:

Do not open a public issue for security vulnerabilities. Instead, report them privately:

1. Email: security@meridianalgo.org
2. Include in your report:
   • Type of vulnerability (e.g., XSS, SQL injection, etc.)
   • Affected project and version
   • Steps to reproduce the issue
   • Potential impact assessment
   • Any proof-of-concept code or screenshots

• Initial Response: Within 48 hours
• Detailed Assessment: Within 7 business days
• Resolution Timeline: Depends on severity, typically 2-4 weeks

1. Confirmation: We will acknowledge receipt of your report
2. Validation: Our security team will investigate and validate the vulnerability
3. Coordination: We will work with you to understand and resolve the issue
4. Disclosure: We will coordinate public disclosure after the fix is deployed

We classify vulnerabilities using the CVSS (Common Vulnerability Scoring System):

• Remote code execution
• Privilege escalation
• Data breaches affecting multiple users

• Authentication bypass
• Significant data exposure
• Denial of service attacks

• Limited data exposure
• Cross-site scripting (XSS)
• CSRF vulnerabilities

• Information disclosure
• Minor security misconfigurations

• Never commit secrets: API keys, passwords, tokens, or credentials
• Use environment variables: For all configuration and sensitive data
• Validate inputs: Sanitize and validate all user inputs
• Follow secure coding practices: OWASP guidelines and language-specific security recommendations
• Keep dependencies updated: Regularly update and scan for vulnerabilities

• Keep software updated: Use the latest stable versions
• Review permissions: Apply principle of least privilege
• Monitor for updates: Subscribe to security announcements
• Report suspicious activity: Contact us if you notice unusual behavior

Our projects implement the following security measures:

• Input validation and sanitization
• Secure authentication and authorization
• Encryption of sensitive data at rest and in transit
• Regular security audits and penetration testing
• Dependency vulnerability scanning
• Secure development lifecycle practices

1. Report Received: Vulnerability reported to security team
2. Assessment: Team validates and classifies severity
3. Development: Fix is developed and tested
4. Deployment: Fix is deployed to affected versions
5. Public Disclosure: Security advisory is published

• Security advisories are published on GitHub
• CVE numbers are requested for critical and high-severity issues
• Credit is given to reporters (with permission)
• Timeline: Typically within 90 days of initial report

Our security team includes:

• Security Engineers: Vulnerability assessment and remediation
• Development Leads: Code review and secure implementation
• Infrastructure Team: System security and monitoring
• Legal Counsel: Compliance and disclosure coordination

We commit to not take legal action against security researchers who:

• Report vulnerabilities in good faith
• Follow our disclosure policy
• Do not exploit vulnerabilities beyond what's necessary for demonstration
• Do not damage or disrupt our services

Researchers must:

• Comply with applicable laws
• Not access or exfiltrate user data
• Not use automated tools that could cause disruption
• Respect user privacy and system integrity

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• CVE Database: https://cve.mitre.org/
• National Vulnerability Database: https://nvd.nist.gov/
• GitHub Security Advisories: https://github.com/security/advisories

• Security Team: security@meridianalgo.org
• General Inquiries: contact@meridianalgo.org
• Security Issues: security@meridianalgo.org (for vulnerability reports only)

We thank the security community for helping us maintain secure and reliable open-source software. Your contributions make our projects safer for everyone.

This policy is regularly updated to reflect current security practices and threat landscapes. Last updated: January 2026