If you discover a security vulnerability in any Leborn project, please do not open a public issue.
Instead:
- Email
security@leborn.dev(forthcoming) with details, OR - Use GitHub's private vulnerability reporting on the affected repository, OR
- Contact the sponsor LLL Sdn Bhd for a private channel.
Include:
- Affected project (e.g. LePico, LeVue, LeNg)
- Affected version or commit
- Steps to reproduce
- Potential impact
- Any mitigations you have identified
- Acknowledgement within 5 business days
- An initial assessment within 2 weeks
- Coordinated disclosure timeline agreed upon with you
This policy covers all repositories under the leborn-dev organization.
For vulnerabilities in the upstream projects (Pico CMS, Vue 2, AngularJS, etc.), please report directly to those upstream maintainers per their security policies. We can help coordinate.
We may acknowledge reporters in release notes (with consent) but do not currently offer monetary bounties. Contact us if you have specific recognition needs.