forceCalendar targets security-sensitive environments (Salesforce Lightning, strict-CSP enterprises), so we take vulnerability reports seriously and publish our security posture openly at the audit page.
| Package | Supported |
|---|---|
@forcecalendar/core |
latest 2.x |
@forcecalendar/interface |
latest 1.x |
| Salesforce distribution | latest release |
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub private vulnerability reporting on the affected repository ("Security" tab → "Report a vulnerability").
Include, where possible:
- The affected package and version
- A description of the vulnerability and its impact
- Steps to reproduce or a proof of concept
- Acknowledgement within 72 hours
- Assessment and severity triage within 7 days
- Fix or mitigation targeted within 30 days for high/critical issues
Confirmed vulnerabilities and their remediation status are tracked publicly (after a fix is available) via issues labeled type:security and surfaced on the audit page.