Open Source & Security Africa (OSSAfrica) takes security seriously. We appreciate your efforts to responsibly disclose security vulnerabilities.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing: security@ossafrica.org
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes or mitigations
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Status Updates: Every 14 days until resolution
This security policy covers:
- OSSAfrica governance repositories
- Community infrastructure and platforms
- Official OSSAfrica tools and applications
- Community Discord server security issues
OSSAfrica follows these security practices:
- All repositories require signed commits for maintainers
- Branch protection rules enforce code review requirements
- Dependency scanning enabled on all repositories
- Regular security audits of governance documents
- Code of Conduct enforcement
- Moderation guidelines for community spaces
- Privacy protection for community members
- Secure communication channels
- Multi-factor authentication required for all maintainers
- Regular access reviews and permission audits
- Encrypted communication for sensitive discussions
- Secure backup and recovery procedures
| Version | Supported |
|---|---|
| Latest | ✅ |
| Previous | ✅ |
| Older | ❌ |
For urgent security matters, contact the Core Team through:
- Email: security@ossafrica.org
- Discord: Direct message to Core Team members
- OpenSSF BEAR Working Group escalation for critical issues
We will acknowledge security researchers who responsibly disclose vulnerabilities in our security advisories, unless they prefer to remain anonymous.