For vulnerabilities in open source software, I generally follow this process:
- Report the issue through the project's documented security channel (e.g. /security, SECURITY.md, email, GHSA, private portal, VDP, or VRP).
- If no private reporting channel exists, or if there is no response after 30 days following an email or GHSA submission, I may open a public issue wihout a POC.
- If the report is acknowledged through a private reporting channel, I will send up to two follow-up messages over the following weeks to check on remediation progress.
- Where maintainers request an extension, target a disclosure timeline of up to 90 days for remediation and coordinated disclosure.
- If communication lapses for more than 30 days after the last substantive response, or once the vulnerability has been fixed, I may disclose the issue through a CNA, where appropriate.


