Skip to content

Security: SaaSy-Solutions/mockforge

Security

SECURITY.md

Security Policy

Reporting Security Vulnerabilities

If you discover a security vulnerability in MockForge, please help us by reporting it responsibly.

How to Report

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing: security@mockforge.dev

You can expect:

  • A response within 48 hours acknowledging receipt of your report
  • Regular updates on our progress investigating the issue
  • Notification when the issue is fixed

What to Include

When reporting a security vulnerability, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any suggested fixes or mitigations
  • Your contact information for follow-up

Our Commitment

We are committed to:

  • Investigating all legitimate reports
  • Keeping reporters informed of our progress
  • Notifying the community when vulnerabilities are fixed
  • Giving credit to security researchers (with permission)

Scope

This security policy applies to MockForge itself, including:

  • The MockForge CLI tool
  • HTTP, gRPC, and WebSocket mocking libraries
  • Admin UI
  • Documentation and examples

Out of Scope

This policy does not apply to:

  • Third-party dependencies (please report to the respective projects)
  • Configuration issues that don't expose security vulnerabilities
  • Denial of service attacks that require unrealistic resource usage

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who follow these guidelines.

Disclosure Timeline

We follow a 90-day disclosure timeline:

  • Day 0: Vulnerability reported
  • Day 30: Acknowledge receipt and provide initial assessment
  • Day 60: Provide fix timeline and progress updates
  • Day 90: Public disclosure of the vulnerability and fix

We may accelerate this timeline if the vulnerability is already public or being actively exploited.

Recognition

We appreciate security researchers who help keep MockForge safe. With your permission, we will publicly acknowledge your contribution in our release notes and security advisories.

Thank you for helping keep MockForge and its users secure!

There aren’t any published security advisories