Skip to content

Security: Wide-Moat/open-computer-use

SECURITY.md

Security Policy

Reporting a vulnerability

Use the GitHub private vulnerability reporting form: Wide-Moat/open-computer-use → Security → Advisories → New advisory

Do not open a public issue or pull request for a security problem. Public disclosure happens after the fix lands and (where applicable) a CVE is published.

What's in scope

  • Code in this repository on the main and next/v1 branches.
  • Container images we publish to GHCR.
  • Helm chart we publish.

What's not in scope

  • Third-party dependencies — report upstream (we will track and patch).
  • Vulnerabilities in customer deployments unless the root cause is in our code.

Response timeline

We aim for:

  • Acknowledgement of receipt: ≤ 3 business days.
  • Initial severity assessment: ≤ 5 business days.
  • Patch + advisory for a confirmed vulnerability:
    • Critical with active exploitation: ≤ 30 days from confirmation.
    • Other Critical / High: ≤ 90 days from confirmation, matching the GitHub Security Advisory default coordinated-disclosure window.

A faster patch is always possible — these are upper bounds, not targets.

Supported versions

Each release of the Software is licensed under FSL-1.1-Apache-2.0 and automatically converts to Apache-2.0 two years after publication.

We patch security issues on main and next/v1. We may back-port fixes for confirmed Critical/High to the two most recent minor releases at maintainer discretion. Older minors are best-effort and not contractually supported.

Coordinated disclosure

We follow coordinated vulnerability disclosure. Once a fix is available and customers have had ≥ 30 days to upgrade, the advisory is made public with credit to the reporter (if requested).

There aren't any published security advisories