Do NOT report security vulnerabilities via public GitHub Issues.
Use GitHub Security Advisories for private reporting: https://github.com/randomm/vipune/security/advisories/new
This ensures responsible disclosure and gives maintainers time to address the issue before public announcement.
If you cannot access GitHub Advisories, check the repository profile for additional contact information.
When reporting a vulnerability, include:
- Description: What is the vulnerability?
- Steps to Reproduce: How can it be triggered?
- Impact: What could an attacker do? Is it exploitable in practice?
- Affected Versions: Which versions of vipune are affected?
- Suggested Fix (optional): Do you have a fix in mind?
vipune is an open-source project maintained on a best-effort basis.
We will:
- Acknowledge your report within 7 days (where possible)
- Assess the vulnerability's impact and urgency
- Work on a fix in coordination with you
- Publish a security advisory once a fix is released
Response time depends on maintainer availability and issue complexity. For critical vulnerabilities (CVSS 9.0+), we aim for expedited handling.
Once a patch is ready:
- Release a new version with the security fix
- Allow users 30 days from release to upgrade before public announcement
- Publish a public security advisory describing the vulnerability
- Credit the reporter (unless requested otherwise)
This embargo period gives users time to patch before attackers learn of the issue.
Thank you for helping keep vipune secure.