We take the security of our project seriously and appreciate your help in identifying and addressing potential security issues.
-
Do Not Publicly Disclose
- Please do not create a public GitHub issue for security vulnerabilities
- Avoid discussing potential security issues on public forums or communication channels
-
Private Reporting
- Report security vulnerabilities directly to our security team
- Use GitHub's private vulnerability reporting feature
- Visit: https://github.com/c15t/c15t/security
- Click "Report a vulnerability"
-
What to Include in Your Report
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Your contact information
- Any proof-of-concept or supporting materials
- We will acknowledge receipt of your vulnerability report within 48 hours
- Our security team will investigate and validate the report
- We aim to provide an initial assessment within 5 business days
- We will keep you informed about the progress of the investigation
- Provide sufficient information to reproduce and validate the vulnerability
- Be patient while we investigate and address the issue
- Do not attempt to exploit the vulnerability
- Maintain confidentiality until we have addressed the issue
- Always use the latest version of c15t
- Keep your dependencies up to date
- Follow recommended security configurations
- Use environment variables for sensitive information
- Review code for potential security vulnerabilities
- Use static code analysis tools
- Follow secure coding practices
- Report any potential security issues immediately
Our security policy covers:
- Vulnerabilities in c15t packages
- Potential exploits in our core libraries
- Authentication and authorization mechanisms
- Data handling and privacy concerns
- Third-party dependencies not directly maintained by c15t
- Issues that require physical access to systems
- Social engineering attacks
We believe in recognizing responsible security researchers. Depending on the severity and impact of the reported vulnerability, we may:
- Provide public acknowledgment in our security hall of fame
- Offer bounties for critical security findings
- Provide detailed feedback on your report
For any security-related concerns, please contact:
- Security Team: security@consent.io
- PGP Key: Available upon request for encrypted communication
By reporting a vulnerability, you agree to:
- Act in good faith
- Provide detailed and actionable information
- Not seek to harm or exploit our systems
- Comply with responsible disclosure principles
Last Updated: 2025-09-08 Version: 1.0.0