Skip to content

Security: santi100a/bisect-lib

SECURITY.md

Security Policy

Reporting a Vulnerability

First see the Code of Conduct and Contribution instructions!

If you believe you have discovered a security vulnerability in this project, please email me at [email protected]. Please include a detailed description of the vulnerability and steps to reproduce it, along with any relevant information on the environment and configuration where the vulnerability was discovered. Please do not disclose the vulnerability publicly until it has been addressed by me.

Scope

This security policy applies to all versions of the project, including any pre-release or beta versions. I will make reasonable efforts to address vulnerabilities in a timely manner, but I can make no guarantees whatsoever regarding the timeline or process for addressing vulnerabilities.

Responsible Disclosure

I am committed to addressing security vulnerabilities in a responsible manner, and will follow the principles of responsible disclosure:

  • I will acknowledge receipt of your vulnerability report as soon as possible.
  • I will provide an estimated timeline for addressing the vulnerability and keep you informed of any changes to the timeline.
  • I will provide credit to you in the release notes for any vulnerability that you report, unless you prefer to remain anonymous.
  • I will not take legal action against you or disclose your identity to any third party without your consent, unless required by law.

Vulnerability Severity

I will evaluate the severity of reported vulnerabilities. The severity of the vulnerability will determine the priority for addressing it.

Patching

I will try my best to provide patches for all vulnerabilities that are confirmed and accepted. I will make reasonable efforts to provide patches in a timely manner, and will prioritize high-severity vulnerabilities. I may provide workarounds or mitigation advice in cases where a patch is not immediately available.

Public Disclosure

I will coordinate with you to determine an appropriate timeline for public disclosure of the vulnerability, taking into account the severity of the vulnerability, the availability of patches, and any other relevant factors. I will make a best effort to release a patch for the vulnerability before publicly disclosing it, and will coordinate with other affected parties if necessary.

There aren’t any published security advisories