Skip to content

Security: Kvnbbg/au-garage

Security

Report a vulnerability

SECURITY.md

Security Policy

Table of Contents

  1. Supported Versions
  2. Reporting a Vulnerability
  3. Disclosure Policy
  4. Acknowledgments

Supported Versions

This section outlines the versions of our project that are currently receiving security updates and support.

Version Supported End of Support
5.1.x N/A
5.0.x 2023-01-01
4.0.x 2024-01-01
< 4.0 2022-01-01

Note: Only actively supported versions receive critical security patches. Users are strongly encouraged to upgrade to the latest stable version to ensure the highest level of security.

Reporting a Vulnerability

We take security seriously and appreciate your efforts in identifying potential vulnerabilities. If you discover any security issues, please follow these guidelines:

How to Report:

  1. Submit a Report via Email: Send a detailed report to 123kevin@duck.com.
  2. Include the Following Information:
    • A clear description of the vulnerability.
    • Steps to reproduce the issue.
    • The affected version(s) of the software.
    • Any tools or configurations used during testing.
    • Potential impact of the vulnerability.

What to Expect:

  • Initial Response: We aim to acknowledge your report within 48 hours.
  • Investigation: Our team will investigate the issue and provide periodic updates on the progress.
  • Resolution: Once the vulnerability is confirmed, we will work diligently to patch it and release an update.
  • Communication: You will be informed about the status of the fix and the expected timeline for deployment.

Acceptance Criteria:

  • Reports must include sufficient information to reproduce the issue.
  • Vulnerabilities must affect a supported version of the software.

Declined Reports:

If your report does not meet the acceptance criteria or is deemed invalid, we will notify you with an explanation.

Disclosure Policy

Our goal is to balance transparency with responsible disclosure to protect our users. Here’s how we handle public disclosure:

  1. Internal Review: Upon receiving a valid report, we conduct an internal review to assess the severity and impact of the vulnerability.
  2. Patch Development: We develop and test a fix for the issue.
  3. Coordinated Release: Once the fix is ready, we coordinate its release with the reporter (if applicable) to ensure proper communication.
  4. Public Announcement: After the fix is deployed, we may publish a security advisory detailing the issue, its resolution, and credits to the reporter (with their permission).

Acknowledgments

We value the contributions of security researchers who help us improve the security of our project. Below is a list of individuals and organizations whose efforts have been instrumental in identifying and resolving vulnerabilities:

  • [Researcher Name] - Reported a critical vulnerability in version 5.1.2.
  • [Organization Name] - Conducted a comprehensive security audit in 2023.

If you would like to be acknowledged for your contribution, please let us know when submitting your report.

This policy is subject to change as we continuously improve our processes. For further questions or clarifications, feel free to reach out to our security team at 123kevin@duck.com. Thank you for helping us maintain the security of our project!

There aren’t any published security advisories