Thanks for helping keep the ADI Family projects safe.

This policy applies to every public repository under the adi-family organization on GitHub and the websites served from github.withadi.dev (including subpaths like /box/).

Two channels, pick whichever fits:

• GitHub Private Vulnerability Reporting (preferred for structured reports) — open a private advisory on this .github repo: https://github.com/adi-family/.github/security/advisories/new. This is the org-wide catch-all entry point; you don't need to find the specific repo where the bug lives. Reports are encrypted and give you a private conversation thread with the maintainers.

• Email — security@withadi.dev. Use this for anything that doesn't fit the structured form (coordination, large attachments, questions, or if you can't access GitHub).

If you're not sure which to use, email is fine.

• Acknowledgment within 72 hours.
• Initial triage and severity assessment within 7 days.
• Fix and coordinated disclosure on a timeline that depends on severity, complexity, and any third-party coordination. We'll keep you in the loop and won't disclose until you confirm the fix is effective.

ADI Family is an early-stage solo / small-team effort — please be patient if a response stretches past these targets on a holiday or travel week. Anything truly time-critical should mention "URGENT" in the subject so it surfaces faster.

Only the latest commit on main of each repo is supported. There are no LTS branches yet. If you find an issue in an older release, please also check whether it reproduces on main before reporting.

In scope:

• All public repositories under adi-family on GitHub.
• The site at github.withadi.dev/ and any subpath (e.g. github.withadi.dev/box/).
• Any first-party plugin, CLI tool, or generated artifact published by this org.

Out of scope (please don't open reports for these):

• Vulnerabilities in third-party dependencies — report those upstream. We'll consume their fixes once released.
• Findings from automated scanners with no demonstrated impact (e.g. "missing CSP" without a working exploit, dependency-version warnings without a known CVE).
• Social-engineering or phishing attempts targeting maintainers.
• Issues in unsupported branches or unmaintained forks.
• Findings that depend on attacker-controlled compiler / build tooling or already-compromised developer machines.

We'll credit reporters in the advisory unless you'd prefer to stay anonymous — please say so in the report. We don't currently run a bounty program.

The RFC 9116 security.txt for the canonical host is at https://github.withadi.dev/.well-known/security.txt.