We prioritize the security of our open source projects and are grateful for the community's support in identifying and addressing security-related issues. If you have discovered a potential security vulnerability, please help us by reporting it according to the following guidelines:

1. Contact Us: Send your report via email to francesca.tozzi@roche.com with the subject line "FORESTWALK SECURITY ISSUE".

2. What to Include:

   • A brief and precise description of the issue.
   • Detailed reproduction steps that outline how the vulnerability can be triggered.
   • Any relevant artifacts such as logs, screenshots, or exploit code.
   • Your name and contact information for any necessary follow-up.

3. After Reporting: we will acknowledge receipt of your report, investigate the issue, and work on a timely resolution. Public acknowledgment of your contribution will be made after the issue is resolved, unless you prefer to remain anonymous.

If you uncover significant security vulnerabilities accompanied by a proof of concept, the Roche Vulnerability Management Team might extend an invitation to join Roche's private HackerOne bug bounty program, where you could receive recognition and rewards for your contributions.

• Please avoid taking advantage of any vulnerabilities you might identify in our system.
• Our commitment is to provide you with timely updates on the resolution of reported vulnerabilities and to acknowledge your role in the responsible disclosure process if you choose.

This security policy applies to the following project: neuro-ForestWalk. It includes all software versions and associated services.

We welcome contributions and feedback on our security processes. If you have suggestions for improving this policy or our security practices, please contact us at francesca.tozzi@roche.com