Skip to content

SECURITY.md

Latest commit

 

History

History
86 lines (50 loc) · 2.64 KB

SECURITY.md

File metadata and controls

86 lines (50 loc) · 2.64 KB

Security Policy

Thank you for taking the time to help keep this project secure.

This project is maintained by a single developer. I care deeply about writing safe, secure software, but my availability can vary. There may be long periods where I am unable to check email or respond to issues. Please keep this in mind when reporting any security concern.

Despite this, I genuinely appreciate responsible disclosure and will address issues when I am able.

🛡 Supported Versions

Security fixes will generally be applied to:

  • The latest released version
  • The main development branch

Older versions may or may not receive updates depending on severity and feasibility.

🔐 Reporting a Vulnerability

Please do not disclose security issues publicly until we have discussed them privately.

To report a potential vulnerability, contact me at:

  • Email: taggedzi.mpc@gmail.com
    (This is the same public email associated with my other GitHub projects.)

If email is not possible for you, you may open a GitHub issue with only a minimal high-level description and request a private way to follow up.

When reporting, please include when possible:

  • A short description of the issue
  • Steps to reproduce or proof-of-concept
  • The potential impact
  • Any suggested fixes (optional but appreciated)

⏱ Availability & Response Expectations

Because this project is maintained by one person and my ability to work varies:

  • I may not be able to reply quickly
  • Sometimes I may be unavailable for weeks or even a month
  • When I am able to work, I will always treat security concerns with priority and respect

A reasonable expectation is:

  • Acknowledgment: within 2–4 weeks (may be sooner, may occasionally be longer)
  • Investigation & resolution: when my health and availability permit

If you do not receive a reply after several weeks, feel free to send a gentle follow-up.

🧭 Scope

This policy applies to:

  • The code in this repository
  • Packaged builds and releases derived from it

Third-party dependencies are outside this project’s control, but reports about risky dependencies are still welcome.

🤝 Good-Faith Security Research

I appreciate good-faith security research. When testing:

  • Avoid actions that could harm others
  • Avoid submitting exploit details publicly
  • Avoid disruptive automated scanning

If you privately disclose an issue in good faith, you will be treated respectfully regardless of severity.

🙏 Thank You

Your effort makes the project safer for everyone.
Even small reports are appreciated.
Thank you for your patience and understanding.