Skip to content

Security: soruly/trace.moe

SECURITY.md

Security Policy

Thank you for helping to keep trace.moe secure. We take security seriously and appreciate your efforts to responsibly disclose vulnerabilities.

This document outlines our policy for reporting security vulnerabilities, supported versions, and the response process.

Supported Versions

Only the latest major version of trace.moe is actively supported with security updates. If you find a security issue in an older version, please verify if it also affects the latest version before reporting.

Reporting a Vulnerability

Please do not report security vulnerabilities via public GitHub issues.

If you discover a potential security vulnerability in this project, please report it using one of the following methods:

  1. GitHub Private Vulnerability Reporting: If available on the repository, please use the "Report a vulnerability" button under the Security tab of the GitHub repository.
  2. Direct Contact: You can email the maintainer directly at soruly@gmail.com or contact via Telegram at @soruly.

When reporting a vulnerability, please include the following details to help us understand and resolve the issue quickly:

  • A description of the vulnerability and its potential impact.
  • Step-by-step instructions (or a proof-of-concept script/exploit) to reproduce the vulnerability.
  • Any specific configuration or environment details required to reproduce it.

Response and Resolution Process

Once we receive a vulnerability report, we will:

  1. Acknowledge receipt of the report within 48 hours.
  2. Triage and investigate the report to confirm the vulnerability.
  3. Keep the reporter updated on the status of the investigation and any planned fixes.
  4. Develop a fix/patch and release a new version.
  5. Work with the reporter to coordinate a disclosure timeline (typically within 90 days of the report, or sooner once the fix is released).

Safe Harbor / Responsible Disclosure

To encourage responsible disclosure, we promise not to pursue legal action against security researchers who:

  • Share details of the vulnerability with us first.
  • Avoid violating the privacy of others, disrupting our services, destroying data, or harming the user experience.
  • Do not exploit the vulnerability beyond what is strictly necessary to prove its existence (i.e. do not access, modify, or delete user/system data).
  • Give us a reasonable amount of time to address the issue before making any information public.

There aren't any published security advisories