Security Policy¶
The ESCAPE project takes the security of its software seriously. This page describes how to report security vulnerabilities and what to expect from the process.
Reporting a Vulnerability¶
If you discover a security vulnerability in the ESCAPE software, please report it by email to:
escape.app.net@gmail.com
Please include the following information in your report:
A description of the vulnerability
Steps to reproduce the issue
The affected version(s) of ESCAPE
Any potential impact you have identified
Your name and contact information (optional, but helpful for follow-up)
Do not disclose the vulnerability publicly (e.g. in a GitLab issue) until we have had a chance to investigate and provide a fix.
What to Expect¶
Acknowledgement: We will acknowledge receipt of your report within 72 hours.
Assessment: We will investigate the report and assess its severity. We may contact you for additional information.
Resolution: We will work to develop a fix and release a security update as soon as possible. The timeline depends on the severity and complexity of the issue.
Notification: Once a fix is available, we will notify you and publish a security advisory.
Coordinated Disclosure¶
We ask that vulnerability reporters follow a coordinated disclosure process:
Allow at least 90 days from the initial report before any public disclosure, to give us time to develop and release a fix.
If we have not responded or provided a fix within 90 days, you are free to disclose the vulnerability publicly.
We will credit reporters in security advisories unless they prefer to remain anonymous.
Security Updates¶
Security patches are provided for the current major release of ESCAPE.
We recommend that all users keep their ESCAPE installation up to date to benefit from the latest security fixes.
Security updates are published on the download page and announced on the website.
Third-Party Dependencies¶
ESCAPE depends on third-party open-source libraries (e.g. NumPy, SciPy, Cython, PyYAML). If a security vulnerability is discovered in one of these dependencies, we will assess the impact on ESCAPE and release an updated version incorporating the fix as soon as practicable.
EU Cyber Resilience Act (CRA)¶
As of September 2026, the ESCAPE project complies with the vulnerability reporting obligations under EU Regulation 2024/2847 (Cyber Resilience Act). Actively exploited vulnerabilities and severe security incidents are reported to the relevant authorities (BSI/ENISA) within the mandated timelines.