Security & responsible disclosure
This is the canonical security page for the LaravelUi5 ecosystem — laravelui5/core, laravelui5/sdk, and laravelui5/odata, and the services that distribute them. We take security seriously and welcome responsible disclosure.
Reporting a vulnerability
Please do not open a public issue for security reports.
Report privately, by encrypted email to security@pragmatiqu.io using the PGP key below. GitHub private vulnerability reporting is also enabled on each repository:
Helpful to include: the affected package and version, a description of the impact (e.g. authorization bypass, data exposure, privilege escalation), steps to reproduce or a proof of concept, and any suggested remediation.
PGP public key
Encrypt sensitive reports to:
- Key:
pgp-key.asc - Fingerprint:
AF3D CE03 8FCA 56A5 1FB5 3A99 8237 0FF9 EF44 97B5
What to expect
- Acknowledgement within 3 business days.
- An initial assessment (severity, affected versions) shortly after.
- A coordinated fix and release; we keep you informed of progress.
- Credit in the release notes if you wish, with disclosure timing agreed together.
Please give us a reasonable window to remediate before any public disclosure.
Scope
In scope — vulnerabilities in the LaravelUi5 packages and the services that distribute them:
| Package / service | License / role |
|---|---|
laravelui5/odata | MIT — the OData v4 engine |
laravelui5/core | BSL 1.1 — the integration foundation |
laravelui5/sdk | proprietary — the productivity layer |
packages.pragmatiqu.io | the Satis distribution host |
Per-package supported versions are documented in each repository's SECURITY.md.
Out of scope: host application misconfiguration (the SDK's guarantees depend on the host wiring its guard, identity binding, and middleware correctly), and third-party dependencies (report those upstream, and tell us if a LaravelUi5 package is affected).
Safe harbor
We will not pursue legal action against good-faith security research that respects this policy — that is, research which avoids privacy violations, data destruction, and service disruption, and which gives us a reasonable window to remediate before public disclosure.
Machine-readable policy
A security.txt (RFC 9116) is published at /.well-known/security.txt.