The BBC's full responsible disclosure policy can be found at https://www.bbc.com/backstage/security-disclosure-policy/. This page provides further details around whether this repository is in scope of this responsible disclosure process.

This repository is in scope of the BBC's Security Disclosure Policy provided the below scopes are also met:

• The repository is not archived.
• The security issue affects the default branch of the repository. Issues affecting forks or non-default branches are out of scope unless they are secrets such as API keys.
• The scopes detailed within the responsible disclosure policy (https://www.bbc.com/backstage/security-disclosure-policy/) are also met

Please do not open public GitHub issues, pull requests, or discussions to report security vulnerabilities.

To report a security vulnerability, you must use GitHub’s Private Vulnerability Reporting feature within this repository. Please see GitHub's Documentation for more details on using this feature to report a security issue.

If you have any broader questions about the process, you can use the BBC’s official security reporting email as found at https://www.bbc.co.uk/.well-known/security.txt.