56 lines
1.7 KiB
Markdown
56 lines
1.7 KiB
Markdown
# Security Policy
|
|
|
|
Thanks for helping keep Tolaria safe.
|
|
|
|
If you believe you have found a security vulnerability, **please do not open a public GitHub issue**. Report it privately instead.
|
|
|
|
## Supported versions
|
|
|
|
We currently support security fixes for:
|
|
|
|
| Version | Supported |
|
|
| --- | --- |
|
|
| Latest stable release | ✅ |
|
|
| `main` branch | Best effort |
|
|
| Older releases / prereleases | ❌ |
|
|
|
|
## Reporting a vulnerability
|
|
|
|
Please email **luca@refactoring.club** with the subject line **`[Tolaria Security]`**.
|
|
|
|
Include as much of the following as you can:
|
|
|
|
- a short description of the issue
|
|
- reproduction steps or a proof of concept
|
|
- affected version / commit, if known
|
|
- impact assessment
|
|
- any suggested mitigation
|
|
|
|
If the issue involves sensitive user data, credentials, or a working exploit, keep the report private and do not post details publicly.
|
|
|
|
## What to expect
|
|
|
|
We will try to:
|
|
|
|
- acknowledge receipt within a few business days
|
|
- reproduce and assess the report
|
|
- work on a fix or mitigation if the issue is valid
|
|
- coordinate public disclosure after users have had a reasonable chance to update
|
|
|
|
## Disclosure guidelines
|
|
|
|
Please give us a reasonable amount of time to investigate and ship a fix before publishing details.
|
|
|
|
We appreciate responsible disclosure and good-faith research.
|
|
|
|
## Out of scope
|
|
|
|
The following are generally out of scope unless they demonstrate a real security impact:
|
|
|
|
- missing best-practice headers or hardening with no practical exploit
|
|
- self-XSS or editor behavior that requires unrealistic user actions
|
|
- reports that only affect unsupported old builds
|
|
- purely theoretical issues with no plausible attack path
|
|
|
|
If you are unsure whether something qualifies, please still report it privately.
|