# Security Policy

This policy applies to the dokieli Web Annotation codebase. Vulnerabilities in third-party libraries should be reported upstream unless directly impacting this library's usage of them.

We ask that you give us a reasonable amount of time to address the vulnerability before any public disclosure.

## Reporting a Vulnerability

If you discover a security vulnerability, please do not file a public issue. Instead, contact us directly:

* Email: info@dokie.li
* PGP Public Key: 
* Fingerprint: 

We aim to acknowledge receipt of security reports within 3 working days and provide an initial assessment within 10 working days.

## What to Include in Your Report

Where applicable, please include the following information:

* A detailed description of the vulnerability.
* The software version in use.
* Environment details, such as web browsers, other web extensions, servers, or relevant example data.
* Screenshots.
* Steps to reproduce the issue.
* Potential impact of the vulnerability.
* A suggested fix (if any).

## Third Party CVE Handling

This library integrates third-party components by adopting the latest compatible versions available during development, ensuring they are up-to-date as part of its ongoing, community-driven evolution rather than fixed release cycles.

We use the [Common Vulnerability Scoring System Version 3.1 Calculator](https://www.first.org/cvss/calculator/3-1) to determine risk.

## Hall of Fame

We are happy to acknowledge contributors who responsibly disclose vulnerabilities, unless they wish to remain anonymous.
