Skip to content

Security policy

Supported versions

The main branch and the most recent tagged release receive security fixes. Older releases are best-effort.

Reporting a vulnerability

Please report suspected vulnerabilities privately via GitHub's private advisory flow:

https://github.com/paulnsorensen/easy-cheese/security/advisories/new

If that is not available, email paulnsorensen@gmail.com. Encrypted email is welcome.

When reporting, please include:

  • A description of the issue and its impact.
  • Steps to reproduce, or a proof-of-concept.
  • Affected version(s) or commit SHA.
  • Any suggested mitigation, if you have one.

We aim to acknowledge reports within 3 business days and to share a remediation timeline within 10 business days. Please give us a reasonable window to ship a fix before public disclosure โ€” typically 90 days, sooner if a fix is shipped earlier or if the issue is already public.

Scope

In scope:

  • The source code in this repository.
  • Released artifacts (binaries, packages) produced from this repo.

Out of scope:

  • Third-party dependencies โ€” please report those upstream.
  • Self-hosted deployments configured outside the project's documented defaults.
  • Social-engineering or physical-access attacks.

Thanks for helping keep the project safe.