Only the latest release on the main branch receives security fixes.
| Version | Supported |
|---|---|
| Latest (main) | Yes |
| Older releases | No |
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
To report a vulnerability privately, use one of the following methods:
Use GitHub's built-in private vulnerability reporting feature. Your report will be visible only to repository maintainers.
Send a description of the vulnerability to info@developmentgateway.org. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Affected package(s) and version(s) (
@devgateway/dvz-ui-react/@devgateway/wp-react-lib) - Any suggested mitigations
- Acknowledgement: within 5 business days of receipt
- Status update: within 15 business days
- Fix timeline: depends on severity; critical issues are prioritized
- Credit: reporters will be credited in the security advisory unless they request anonymity
This policy covers vulnerabilities in code maintained in this repository:
packages/dvz-ui(@devgateway/dvz-ui-react)packages/react-lib/wp-react-lib(@devgateway/wp-react-lib)
- Vulnerabilities in WordPress itself — report to the WordPress Security Team.
- Vulnerabilities in Apache Superset — report to the Apache Security Team.
- Vulnerabilities only exploitable with valid admin credentials to the running application.
- Docker base image vulnerabilities — report to the relevant upstream image maintainers.