This document describes how security vulnerabilities related to the PIC Specification and related repositories are handled.
Only the latest stable release of the PIC Specification is supported for security updates at any given time.
Earlier drafts and obsolete versions are provided for reference only and are not maintained.
Security issues must be reported privately.
Please use GitHub Security Advisories:
https://github.com/pic-protocol/pic-spec/security/advisories/new
Do not open public issues for security vulnerabilities.
We consider vulnerabilities that could compromise the:
- confidentiality,
- integrity,
- or availability
of the PIC Specification, its reference materials, or its users.
We aim to:
- acknowledge reports within 5 business days,
- provide an assessment or resolution within 30 days, when feasible.
Timelines may vary depending on severity and complexity.
We are happy to publicly acknowledge security reporters in release notes unless anonymity is requested.
Security response and coordination are handled by the Specification Steward: Nitro Agility S.r.l.