Skip to content

Security: Evotrix-Labs/FormaUI

Security

SECURITY.md

Security Policy — FormaUI

We take security seriously. If you discover a vulnerability in FormaUI, please follow the responsible disclosure process below so we can address it promptly and prevent public disclosure before a fix is available.

Reporting a security issue

  • Preferred: Open a private GitHub Security Advisory in the Evotrix-Labs/FormaUI repository. This will allow maintainers to coordinate a fix and securely disclose.
  • Alternative: Email the security contact at [email protected]
  • Please do NOT open a public issue for security vulnerabilities.

What to include When reporting, please provide:

  • Component/package/crate name and version(s) affected
  • Clear, reproducible steps to trigger the issue (proof-of-concept is very helpful)
  • Expected vs actual behavior
  • Any suggested mitigations or patches (optional)
  • Your contact email for follow-up

Our response process

  • Acknowledgement: We will acknowledge your report within 72 hours.
  • Triage: We will triage and classify the severity of the issue and assign maintainers to investigate.
  • Fix & release: We will prepare a fix, coordinate a secure release, and notify affected users via a security advisory and release notes.
  • Disclosure timeline: We generally aim to coordinate public disclosure with the release of a patch. We follow a responsible disclosure timeline (typically 30–90 days depending on severity and coordination with downstream projects). If you and we agree on a different timeline, we will honor it.

Security best practices

  • Run npm audit and cargo audit in CI as part of routine checks.
  • Keep third-party dependencies minimal and review transitive dependencies periodically.
  • Use Dependabot/renovate to keep dependencies up to date and automate PRs for fixes.

PGP / signing

  • If you want to share sensitive details encrypted with a PGP key, indicate that in the initial contact and we will provide a public key to use.

Reporting vulnerability in dependencies

  • If the issue involves a dependency, please include the dependency name and version, reproduce steps, and references to any advisories.

Thank you for helping keep FormaUI safe. We appreciate responsible disclosure and will work to resolve reported issues quickly.

There aren’t any published security advisories