# O3DE Security Policy

## Reporting a Vulnerability
If you have information about a security issue or vulnerability in O3DE, please send the vulnerability report via e-mail to [security@o3de.org](mailto:security@o3de.org). 

> **_NOTE:_**  Please avoid creating GitHub issues, unless the vulnerability is already publicly disclosed, for example it has been reported in the [National Vulnerability Database](https://nvd.nist.gov/). 

The vulnerability report should include as much detail as possible, including:

- All relevant fields from the O3DE standard [issue template](https://github.com/o3de/o3de/blob/development/.github/ISSUE_TEMPLATE/bug_template.md).

- A detailed description of the vulnerability we can use to reproduce your findings.

- A definition of who can exploit this vulnerability and what they would gain.

- Information about any known exploits.

A member of the [SIG-Security](https://github.com/o3de/sig-security/) Issue Response Team will review your e-mail and contact you to collaborate on resolving the issue.

For more details, please refer to the [Security Documentation](https://www.o3de.org/docs/contributing/security) for O3DE.