Please report security issues privately.
Do not open a public GitHub issue for an unpatched vulnerability.
Use one of these private channels:
hello@respawn.pro
If GitHub private vulnerability reporting is enabled for this repository, you may use that as well.
If you are unsure whether something is security-sensitive, report it privately first.
Please include as much of the following as possible:
- affected version, tag, or commit
- impact and attack scenario
- clear reproduction steps or proof of concept
- relevant environment details
- whether the issue is already publicly known
Reports that are concrete and reproducible are much easier to triage quickly.
We aim to acknowledge security reports within 7 days and follow up on a best-effort basis until resolution.
We do not currently publish a fixed remediation SLA.
Security fixes are handled on a best-effort basis for the latest release and the current main branch.
Older versions may be asked to upgrade instead of receiving backported fixes.
Examples of issues that should be reported through the private security process include:
- credential disclosure
- authentication or session-handling flaws
- unsafe file access or workspace-boundary bypasses
- command-execution vulnerabilities
- supply-chain or release-integrity issues
Please allow maintainers a reasonable opportunity to investigate and ship a fix before public disclosure.
Once a fix is available, we may coordinate timing for public disclosure and release notes.
There is currently no bug bounty program.