Fosniedocsv0.1

Security policy

How to report a vulnerability, and what to expect.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests. Report privately using one of:

  • GitHub Private Vulnerability Reporting – the "Report a vulnerability" button under the repository's Security tab (preferred), once the repository is public; or
  • Emailsecurity@fosnie.dev. To encrypt your report, request our PGP key in your first message.

Please include, as far as you can:

  • a description of the issue and its potential impact;
  • the affected component/version and configuration (backend, ML service, frontend; edition; deployment target);
  • step-by-step reproduction, with a proof-of-concept if available;
  • any suggested remediation.

What to expect

  • Acknowledgement within 3 business days.
  • An initial assessment and severity triage within 10 business days.
  • Regular updates on remediation progress.
  • Coordinated disclosure – we'll agree a timeline with you and credit you (if you wish) once a fix is available. Please give us a reasonable opportunity to remediate before public disclosure – typically up to 90 days, sooner for issues under active exploitation.

Scope

This policy covers Fosnie. Vulnerabilities in third-party dependencies should normally be reported upstream; if a dependency issue specifically affects Fosnie, tell us so we can mitigate.

Safe harbour

We won't pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in line with this policy, who avoid privacy violations and service disruption, and who don't access or modify data beyond the minimum needed to demonstrate the issue. Do not run tests against deployments you don't own or have explicit permission to test.

Supported versions

Until a stable 1.0 release, security fixes are provided for the latest released version on the default branch. A supported-version table will appear here once formal release branches exist.

Was this page helpful?

On this page