Use the GitHub private vulnerability reporting form: Wide-Moat/open-computer-use → Security → Advisories → New advisory
Do not open a public issue or pull request for a security problem. Public disclosure happens after the fix lands and (where applicable) a CVE is published.
- Code in this repository on the
mainandnext/v1branches. - Container images we publish to GHCR.
- Helm chart we publish.
- Third-party dependencies — report upstream (we will track and patch).
- Vulnerabilities in customer deployments unless the root cause is in our code.
We aim for:
- Acknowledgement of receipt: ≤ 3 business days.
- Initial severity assessment: ≤ 5 business days.
- Patch + advisory for a confirmed vulnerability:
- Critical with active exploitation: ≤ 30 days from confirmation.
- Other Critical / High: ≤ 90 days from confirmation, matching the GitHub Security Advisory default coordinated-disclosure window.
A faster patch is always possible — these are upper bounds, not targets.
Each release of the Software is licensed under FSL-1.1-Apache-2.0 and automatically converts to Apache-2.0 two years after publication.
We patch security issues on main and next/v1. We may back-port fixes for confirmed Critical/High to the two most recent minor releases at maintainer discretion. Older minors are best-effort and not contractually supported.
We follow coordinated vulnerability disclosure. Once a fix is available and customers have had ≥ 30 days to upgrade, the advisory is made public with credit to the reporter (if requested).