This document outlines security procedures and general policies for the Swift Package Index project.

We take all security bugs in the Swift Package Index project seriously. We appreciate your responsible disclosure efforts and, where appropriate, will acknowledge your contributions.

Please report security bugs via the “Security” tab in the Server GitHub repository or directly via the “Report a Vulnerability” form. This will open a private conversation with the Swift Package Index project maintainers.

Once we resolve a security issue, we will publish a security advisory on the GitHub repository’s “Security” tab, where appropriate.

If you find a security issue in a package indexed by the Swift Package Index package, please report it directly to the package maintainer.

If you believe a package has malicious intent or critical security issues that the maintainer doesn’t address promptly, report it via the “Security” tab in the PackageList GitHub repository or directly via the “Report a Vulnerability” form. This will open a private conversation with the Swift Package Index project maintainers.

Please open a discussion if you have suggestions to improve this process.