The ossguard team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Please DO NOT file a public issue for security vulnerabilities.
- Email: security@ossguard.dev
- GitHub Security Advisories: Use GitHub's private vulnerability reporting to report a vulnerability directly.
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Impact assessment (what an attacker could achieve)
- Affected versions
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Assessment: We will provide an initial assessment within 1 week.
- Fix & Disclosure: We aim to release a fix within 90 days of the report, following coordinated vulnerability disclosure practices.
We follow the OpenSSF Vulnerability Disclosure Guide for coordinated disclosure. We request that you:
- Allow us reasonable time to fix the issue before public disclosure.
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption.
- Do not exploit the vulnerability beyond what is necessary to confirm it.
| Version | Supported |
|---|---|
| latest | ✅ |
Security updates will be released as patch versions and announced via:
- GitHub Security Advisories
- Release notes
This project follows OpenSSF Best Practices and uses:
- OpenSSF Scorecard for automated security assessment
- Dependency scanning via Dependabot/Renovate
- Code scanning via CodeQL or equivalent
- Signed releases via Sigstore
We gratefully acknowledge security researchers who help keep ossguard safe. Contributors will be credited in security advisories (unless anonymity is requested).