This security policy outlines the process for reporting vulnerabilities and secrets found within this GitHub repository. It is essential that all contributors and users adhere to this policy in order to maintain a secure and stable environment.
If you discover a vulnerability within the code, dependencies, or any other component of this repository, please follow these steps:
-
Do not disclose the vulnerability publicly. Publicly disclosing a vulnerability may put the project at risk and could potentially harm other users.
-
Contact the repository maintainer(s) privately. Send a private message or email to the maintainer(s) with a detailed description of the vulnerability. Include the following information:
- The affected component(s)
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations or workarounds
-
Wait for a response from the maintainer(s). Please be patient, as they may need time to investigate and verify the issue. The maintainer(s) should acknowledge receipt of your report and provide an estimated time frame for addressing the vulnerability.
-
Cooperate with the maintainer(s). If requested, provide additional information or assistance to help resolve the issue.
-
Do not disclose the vulnerability until the maintainer(s) have addressed it. Once the issue has been resolved, the maintainer(s) may choose to publicly disclose the vulnerability and credit you for the discovery.
If you discover any secrets, such as API keys or passwords, within the repository, follow these steps:
-
Do not share the secret or use it for unauthorized purposes. Misusing a secret could have severe consequences for the project and its users.
-
Contact the repository maintainer(s) privately. Notify them of the discovered secret, its location, and any potential risks associated with it.
-
Wait for a response and further instructions.
We encourage responsible disclosure of vulnerabilities and secrets. If you follow the steps outlined in this policy, we will work with you to understand and address the issue. We will not take legal action against individuals who discover and report vulnerabilities or secrets in accordance with this policy.
We are committed to maintaining the security of our project. When vulnerabilities are reported and confirmed, we will:
- Work diligently to develop and apply a patch or implement a mitigation strategy.
- Keep the reporter informed about the progress of the fix.
- Update the repository with the necessary patches and document the changes in the release notes or changelog.
- Credit the reporter for the discovery, if they wish to be acknowledged.
We welcome contributions that help improve the security of our project. If you have suggestions or want to contribute code to address security issues, please follow the standard contribution guidelines for this repository. When submitting a pull request related to security, please mention that it addresses a security issue and provide any necessary context.
By adhering to this security policy, you contribute to the overall security and stability of the project. Thank you for your cooperation and responsible handling of vulnerabilities and secrets.