Skip to content

Latest commit

 

History

History
49 lines (32 loc) · 1.53 KB

File metadata and controls

49 lines (32 loc) · 1.53 KB

Security Vulnerability Response — Sponsor Trust Policy

ARC-Neuron LLMBuilder treats dependency alerts as sponsor-trust issues.

Current Handling Rule

If GitHub reports a dependency vulnerability on the default branch:

  1. Open the repository Security tab / Dependabot alert.
  2. Identify the package, affected version, patched version, and dependency path.
  3. Apply the safe version bump when possible.
  4. Run public verification:
python scripts/validate_repo.py
python -m pytest tests -q
python scripts/production_verify.py
python scripts/seo_validate.py
  1. Commit the dependency fix with a clear message such as:
Fix Dependabot moderate dependency alert
  1. If the alert cannot be safely fixed immediately, document the reason in an issue and link the issue from this file.

Sponsor Boundary

Supporter, Builder, and Pro Builder sponsorship can proceed while a moderate alert is being triaged, provided the alert is not ignored.

Enterprise / Custom Repository Sponsor positioning should only be described as fully hardened when moderate-or-higher dependency alerts are resolved or explicitly documented with a risk boundary.

Recommended GitHub Command

gh repo view GareBear99/ARC-Neuron-LLMBuilder --web

Then open:

Security → Dependabot alerts

Public Trust Statement

This repo does not hide security status behind marketing language. Sponsor trust depends on public checks, dependency triage, and clear boundaries between open-source infrastructure support and custom delivery agreements.