At QA Hub Actions, we take the security of your CI/CD pipelines very seriously. Only the main branch and officially tagged major and minor releases receive active security updates.

If you discover any security-related issues in any of the Actions provided in this repository (e.g., exposed secrets in logging, RCE vectors, unsanitized inputs), please do not report them publicly.

1. Open a private security advisory through the GitHub UI for this repository.
2. Provide a detailed description of the vulnerability, including:
   • The specific Action affected (e.g., jira-auto-tagger, run-tests).
   • Steps to reproduce the vulnerability.
   • Potential impact on the CI/CD pipeline or downstream users.
3. We will acknowledge your report within 48 hours and begin assessing the issue.
4. Once verified, we will work with you to patch the vulnerability and release an update before disclosing it publicly.

Thank you for helping keep our infrastructure secure!