The mo:os project (Collider-Data-Systems) takes security seriously. If you believe you have found a security vulnerability in any of our public repositories — moos-kernel, moos-router, or this .github repository — please report it privately. Do not open a public issue for security reports.
Preferred channel — GitHub private vulnerability reporting: open the affected repository's Security tab → Advisories → Report a vulnerability. This creates a private advisory visible only to the maintainers.
Alternative channel: email sam@my-tiny-data-collider.nl with the details.
Please include:
- the affected repository and version / commit,
- a description of the vulnerability and its impact,
- steps to reproduce (a proof-of-concept if available),
- any suggested remediation.
- Acknowledgement within 5 business days.
- An initial assessment and severity triage shortly after.
- Coordinated disclosure: we will agree a fix and a disclosure timeline with you, and credit you (if you wish) once a fix is released.
In scope: the public repositories under
Collider-Data-Systems —
moos-kernel, moos-router, and .github.
Out of scope: private / experimental repositories, third-party dependencies (report those upstream), and denial-of-service or social-engineering testing.
mo:os is under active single-maintainer development; only the latest
main / master of each public repository is supported. Security fixes land
on the default branch.
Maintained by the mo:os project. This policy lives in the org-level
.github repository and
applies to all public Collider-Data-Systems repositories.