We ship security fixes for the current v6 line and the latest v5 maintenance branch (≥ 5.6.0). Releases prior to 5.6.0 no longer receive patches—upgrade as soon as possible to stay protected.

1. Contact: Email security reports to [email protected].
2. Disclosure Window: We aim to acknowledge reports within 3 business days and provide a remediation plan within 10 business days.
3. Coordinated Disclosure: Please refrain from publicly disclosing the issue until a fix is available or 30 days have passed since acknowledgement.

• Critical fixes ship in a point release for the supported branches (6.x and ≥ 5.6.0).
• Vulnerability advisories are published on the GitHub release page and npm once patches are available.
• We credit reporters who follow coordinated disclosure and wish to be acknowledged.

• Stay on the latest minor release within your major version to receive defense-in-depth updates.
• Review the Access control & metadata section for guidance on choosing the strongest policies.
• Test secure storage flows on physical hardware before shipping; emulators often omit secure elements.

Thank you for helping us keep react-native-sensitive-info secure.