This security policy applies to repositories maintained under the GitHub account @mohammadijoo.

These repositories include educational projects, engineering simulations, robotics and control examples, machine learning tutorials, web applications, programming examples, and research-oriented software.

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, please report it privately using one of the following methods:

1. Use GitHub's private vulnerability reporting feature if it is enabled for the repository.
2. Contact the maintainer through the GitHub profile: @mohammadijoo
3. Email the maintainer: a.mohamadijoo@gmail.com

When reporting a vulnerability, please include as much useful information as possible:

• Repository name
• Affected file, module, route, page, script, or component
• Description of the vulnerability
• Steps to reproduce
• Proof-of-concept details, if safe to share
• Expected impact
• Suggested fix, if you have one
• Relevant environment details such as operating system, browser, runtime, dependency versions, or server configuration

Please avoid including destructive payloads, real private data, or actions that could harm users, systems, or services.

Security issues may include, but are not limited to:

• Authentication or authorization bypass
• Exposed credentials, tokens, secrets, or API keys
• Cross-site scripting
• SQL, NoSQL, command, template, or code injection
• Unsafe file upload handling
• Path traversal
• Insecure session or cookie handling
• Insecure direct object references
• Cross-site request forgery
• Sensitive information disclosure
• Dependency vulnerabilities
• Dangerous default configuration
• Unsafe use of third-party APIs
• Server-side request forgery
• Broken access control in admin panels
• Weak password handling
• Insecure OAuth or social login implementation

For scientific, educational, and simulation repositories, issues such as incorrect equations, numerical instability, or inaccurate documentation should normally be reported as regular bugs unless they create an actual security risk.

Unless a repository states otherwise, security support is mainly provided for the latest version of each active repository.

Older, archived, experimental, or demonstration repositories may receive limited security support.

If a repository has its own SECURITY.md, the repository-specific file overrides this account-level default policy.

The maintainer will make a reasonable effort to:

• Review the report.
• Confirm whether the issue is reproducible.
• Estimate the severity and affected scope.
• Prepare a fix when appropriate.
• Credit the reporter if requested and appropriate.
• Avoid public disclosure before a reasonable fix or mitigation is available.

Response time may vary depending on project priority, workload, and the complexity of the issue.

Please follow responsible disclosure practices:

• Do not publicly disclose the vulnerability before the maintainer has had a reasonable opportunity to investigate and fix it.
• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
• Do not access, modify, delete, or exfiltrate data that does not belong to you.
• Do not attack production systems, third-party services, or users.
• Do not use automated high-volume scanning against systems connected to these projects without permission.
• Do not submit reports involving spam, social engineering, physical attacks, or denial-of-service testing.

The following are generally out of scope unless they create a clear, practical security risk:

• Reports only about missing security headers in static demo pages
• Theoretical issues without a realistic attack scenario
• Vulnerabilities in unsupported or obsolete dependency versions when no practical exploit path is shown
• Social engineering
• Physical attacks
• Denial-of-service testing
• Reports generated only by automated tools without explanation
• Issues in third-party platforms not controlled by the maintainer
• Non-security bugs such as mathematical errors, UI problems, broken links, or inaccurate documentation

Many repositories under this account are educational demos or learning projects.

For these repositories, some code may intentionally be simplified to help students understand the core idea. However, if a project includes authentication, database access, file uploads, admin panels, APIs, deployment instructions, or server-side logic, security reports are welcome.

If you find a vulnerable dependency, please include:

• Dependency name
• Affected version
• Fixed version, if known
• Vulnerability identifier, such as CVE or advisory ID
• Explanation of whether the repository actually uses the vulnerable functionality

If you accidentally discover exposed credentials, tokens, API keys, database URLs, private certificates, or other sensitive information, please report it privately immediately.

Do not test, use, publish, or share the secret.

Thank you for helping improve the security and reliability of these projects. Responsible reporting helps protect users, students, contributors, and maintainers.