We take the security of our project seriously. If you discover a security vulnerability, please follow the instructions below to report it responsibly.

This policy applies to vulnerabilities in the Moodle Design System codebase and its dependencies. Issues related to third-party services, social engineering, or denial-of-service attacks are out of scope.

Do not report security vulnerabilities through public GitHub issues.

Instead, please report security issues by creating an issue at Moodle Design System tracker.

When reporting, please include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• The impact and potential risk
• Affected versions or components
• Any relevant logs, screenshots, or proof-of-concept code

We aim to acknowledge your report within 3 business days and provide a resolution within 30 days. We may request additional information to help us resolve the issue.

1. Triage: We review and validate the report.
2. Investigation: We assess the impact and determine a fix.
3. Resolution: We implement and test the fix.
4. Disclosure: We coordinate public disclosure with the reporter, if appropriate.

Duplicate or low-severity issues may be closed with an explanation.

We provide security updates for the latest major version. Older versions may not receive security fixes.

We prefer all communications to be in English.

We follow the principle of Responsible Disclosure. We ask that you give us a reasonable amount of time to address the issue before disclosing it publicly.

We appreciate responsible reporters and, with your permission, will credit you in our release notes. If you wish to remain anonymous, please let us know.

All vulnerability reports are handled confidentially. We will not share your information outside the security response team without your consent.

We will not pursue legal action against individuals who report vulnerabilities in good faith and follow this policy.

We use automated tools (e.g., Dependabot) to monitor our dependencies for known vulnerabilities.

This policy may be updated from time to time. Please refer to the repository for the latest version.

Thank you for helping keep our project and community safe.