| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | Best effort |
Do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability in Rampart, please report it responsibly:
- Email: Send details to the maintainer via the email listed on the GitHub profile.
- Include: A description of the vulnerability, steps to reproduce, affected versions, and potential impact.
- Response time: We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days for critical issues.
- Authentication or authorization bypasses
- Token leakage, session fixation, or session hijacking
- SQL injection, XSS, CSRF, or SSRF
- Cryptographic weaknesses
- Privilege escalation
- Information disclosure (secrets, PII, internal state)
- Denial of service via resource exhaustion (unless trivially exploitable)
- Issues in dependencies without a demonstrated exploit path in Rampart
- Social engineering attacks
- Issues requiring physical access to the server
- We will coordinate disclosure with the reporter.
- We will credit reporters in the release notes (unless they prefer anonymity).
- We aim to release fixes before or alongside public disclosure.
Rampart follows security-first development practices:
- All dependencies are pinned and audited (
govulncheck,gosec, Trivy). - CI runs security scans on every PR.
- Secrets are never stored in plaintext.
- All authentication flows follow OAuth 2.0 / OIDC RFCs.