We take the security of our software very seriously and we value the insights from the broader community of cyber-security experts. The disclosure of security vulnerabilities helps us ensure the safety and privacy of our users.

For all Coravel releases, bug fixes are provided for 18 months and security fixes are provided for 2 years. For all additional libraries, only the latest major release receives bug fixes.

If you have discovered a security vulnerability in our project, we appreciate your help in disclosing it to us in a responsible manner.

1. Do not disclose security-related issues publicly. You can report them by using GitHub's private vulnerability reporting. This allows us to manage the vulnerability as efficiently as possible and minimize the risk of malicious actors exploiting it. Please refrain from opening a GitHub Issue for this purpose.
   • Alternatively, you can send your reports via email to [email protected]. Please encrypt your email messages using our public PGP key (shown below) to ensure the confidentiality of the information.

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     
     mDMEZTAJ5hYJKwYBBAHaRw8BAQdAH6bUx4j6MfI1zq6RITVASsBw6u9RMsHnAs28
     +KEqjvq0HUNvcmF2ZWwgPHNlY3VyaXR5QGNvcmF2ZWwucnM+iJAEExYIADgWIQR5
     xHZarQPMIhjMRYqks74VpbT7NgUCZTAJ5gIbAwULCQgHAgYVCgkICwIEFgIDAQIe
     AQIXgAAKCRCks74VpbT7NrJaAP99A6CmuRNOK3sb7LpBnmpCE69m9y0h84ZS8JGR
     FTSndAEA2InlLb9AgMX067GMiTRukmHgYU2UfWO5rQCaneFMWAK4OARlMAnmEgor
     BgEEAZdVAQUBAQdA8Fsg/fYWkggJOkY9ZAfoK+Ar15GflY7V8ywX5ztnvTMDAQgH
     iHgEGBYIACAWIQR5xHZarQPMIhjMRYqks74VpbT7NgUCZTAJ5gIbDAAKCRCks74V
     pbT7NmglAP9nOnMMeCeL0Zwl8hJxFr1f4KguMMfn7VhMzDuRXBwF3gEA6Xdp+eLt
     5dZntRxbGv0rKP2InZbEGDLoNMzqsOEO0gA=
     =ZxIW
     -----END PGP PUBLIC KEY BLOCK-----
     

2. Provide detailed reports. Include as much information as you can to help us understand the nature and scope of the vulnerability. This may include steps to reproduce, affected versions, and potential impacts.
3. Stay in contact. After you have reported a vulnerability, we may need further information from you in order to verify or address the issue.

1. We will acknowledge your email within 48 hours, and will keep you updated on our progress as we address the vulnerability.
2. We will validate and confirm the problem. After we have received your vulnerability report, we will work to validate and reproduce the issue.
3. We will address the issue as quickly as possible. Our team is committed to patching vulnerabilities swiftly. The time it takes to release these patches may vary depending on the severity and complexity of the issue.
4. We will publicize the vulnerability only after we have developed a fix for it. We will give you credit for the discovery in any public reports, unless you wish to remain anonymous.

While we appreciate every security report, some vulnerability types may be out-of-scope, such as:

1. Vulnerabilities in dependencies not included by default in the project.
2. Vulnerabilities requiring extensive user interaction or unlikely user behavior.
3. Issues that require physical access to the user's device.

Please understand that this policy is meant as a guideline, and we reserve the right to make exceptions based on the specifics of each case.

🫡 Thank you for helping us make our project safer for everyone! Your effort is commendable.