Do NOT open a public issue for security vulnerabilities.
Instead, please email hi@santifer.io with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You will receive a response within 72 hours. We will work with you to understand and address the issue before any public disclosure.
Security issues in the following are in scope:
- Scripts (
*.mjs) — command injection, path traversal, SSRF - Dashboard (
dashboard/) — any Go binary vulnerabilities - Templates (
templates/) — XSS in generated HTML/PDF - Configuration — secrets exposure, unsafe defaults
- Issues in third-party dependencies (report upstream)
- Issues requiring physical access to the user's machine
- Social engineering attacks
- career-ops is a local tool — there is no hosted service to attack
We follow coordinated disclosure. Once a fix is released, we will credit the reporter (unless they prefer anonymity) in the release notes.