I take the security of sps2 seriously. I appreciate your efforts to responsibly disclose your findings, and I will make every effort to acknowledge and address them.
sps2 is currently in the early stages of development and has not yet had a stable release. As such, there are no formal version branches with dedicated security support.
Security patches will be applied to the latest commit on the main branch only.
To report a security vulnerability, please send an email to alexander.knott@posteo.co.
To ensure the confidentiality of the report, I strongly encourage you to encrypt your email using my public GPG key. You can typically find it on public key servers like keys.openpgp.org or keyserver.ubuntu.com by searching for my email address.
In your report, please include:
- A clear description of the vulnerability.
- The steps required to reproduce it.
- The potential impact of the vulnerability.
- Any proof-of-concept code or screenshots, if applicable.
As I am the sole contributor developing this project in my spare time, please understand that I cannot offer guaranteed response times. However, I will do my best to adhere to the following process:
- Acknowledge: I will try to acknowledge receipt of your report within 72 hours.
- Investigate: I will investigate the report to confirm the vulnerability.
- Remediate: If the vulnerability is confirmed, I will work on a patch.
- Notify: I will notify you once the fix has been merged into the
mainbranch.
This pol
2E49
icy will evolve as the project matures. Thank you for helping to keep sps2 secure.