| Version | Supported |
|---|---|
| 0.x.y | ✅ |
To report a security vulnerability, please DO NOT open a public GitHub Issue.
Instead, contact the maintainers privately:
- Email:
security@loust.pro - GitHub Private Vulnerability Reporting: Use the "Security" tab → "Advisories" → "Report a vulnerability"
Please include as much of the following as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation (if any)
- We aim to respond within 48 hours to acknowledge receipt.
- We aim to publish a fix within 14 days.
- We follow a 90-day coordinated disclosure timeline.
- Public disclosure will be coordinated with the reporter.
| Component | Notes |
|---|---|
pkg/github/client.go |
Handles GitHub API tokens — treat as secret |
internal/webhook/webhook.go |
Receives untrusted external payloads |
internal/llm/ |
External LLM calls — do not trust unvalidated LLM output |
For threat modeling context, see the architecture in pkg/domain/types.go and internal/classifier/.