Skip to content

Security: bilbilak/treegen

Security

docs/SECURITY.md

Security Policy

We take the security of our software very seriously and we value the insights from the broader community of cyber-security experts. The disclosure of security vulnerabilities helps us ensure the safety and privacy of our users.

☂️ Supported Versions

For all software releases, bug fixes are provided for 18 months and security fixes are provided for 2 years. For all additional libraries, only the latest major release receives bug fixes.

📝 Reporting a Vulnerability

If you have discovered a security vulnerability in our project, we appreciate your help in disclosing it to us in a responsible manner.

How to report

  1. Do not disclose security-related issues publicly. You can report them by using GitHub's private vulnerability reporting. This allows us to manage the vulnerability as efficiently as possible and minimize the risk of malicious actors exploiting it. Please refrain from opening a GitHub Issue for this purpose.
    • Alternatively, you can send your reports via email to [email protected]. Please encrypt your email messages using our public PGP key (shown below) to ensure the confidentiality of the information.
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      
      mDMEZkp9NBYJKwYBBAHaRw8BAQdAdTRfZg2K5ptLWTFiEQDhc8kLBqZWnAx4DKfu
      gk/f9+60IEJpbGJpbGFrIDxzZWN1cml0eUBiaWxiaWxhay5kZXY+iJMEExYKADsW
      IQQg4gWawAA25Z/owGcZxUf58ATw3QUCZkp9NAIbAwULCQgHAgIiAgYVCgkICwIE
      FgIDAQIeBwIXgAAKCRAZxUf58ATw3aMWAQDejElRIR3JoC7XxkRdeXO2JCxpJ3ky
      agYpzkNvnPglJAD9H+MG5aFKChFNWpjv6Ioc7KQf0rMrkkffYNz7OlcvKgq4OARm
      Sn00EgorBgEEAZdVAQUBAQdAk08YbPDnVhP80MbK3Dz8+3NPB/LPjJq/M4XQCySt
      uVYDAQgHiHgEGBYKACAWIQQg4gWawAA25Z/owGcZxUf58ATw3QUCZkp9NAIbDAAK
      CRAZxUf58ATw3cuaAQCyHctmCEhBImx1BalWeRnyvFpLh9fr8OORBv49i3iVcwEA
      zGeET/PFrEeSafEb/Z7190x/HTt/uFasTYx7v1Xm8wg=
      =vutj
      -----END PGP PUBLIC KEY BLOCK-----
      
  2. Provide detailed reports. Include as much information as you can to help us understand the nature and scope of the vulnerability. This may include steps to reproduce, affected versions, and potential impacts.
  3. Stay in contact. After you have reported a vulnerability, we may need further information from you in order to verify or address the issue.

What we promise

  1. We will acknowledge your email within 48 hours, and will keep you updated on our progress as we address the vulnerability.
  2. We will validate and confirm the problem. After we have received your vulnerability report, we will work to validate and reproduce the issue.
  3. We will address the issue as quickly as possible. Our team is committed to patching vulnerabilities swiftly. The time it takes to release these patches may vary depending on the severity and complexity of the issue.
  4. We will publicize the vulnerability only after we have developed a fix for it. We will give you credit for the discovery in any public reports, unless you wish to remain anonymous.

Out-of-Scope Vulnerabilities

While we appreciate every security report, some vulnerability types may be out-of-scope, such as:

  1. Vulnerabilities in dependencies not included by default in the project.
  2. Vulnerabilities requiring extensive user interaction or unlikely user behavior.
  3. Issues that require physical access to the user's device.

Please understand that this policy is meant as a guideline, and we reserve the right to make exceptions based on the specifics of each case.


🫡 Thank you for helping us make our project safer for everyone! Your effort is commendable.

There aren’t any published security advisories