The maintainers of the ghasum
project take security issues seriously. We
appreciate your efforts to responsibly disclose your findings. Due to the
non-funded and open-source nature of the project, we take a best-efforts
approach when it comes to engaging with security reports.
This document should be considered expired after 2024-12-31. If you are reading this after that date, try to find an up-to-date version in the official source repository.
Only the latest release of the project is supported with security updates.
To report a security issue in the latest release or development head, either:
- Report it through GitHub, or
- Send an email to security@ericcornelissen.dev with the terms "SECURITY" and "ghasum" in the subject line.
Please do not open a regular issue or Pull Request in the public repository.
To report a security issue in an older version - i.e. the latest release isn't affected - please report it publicly. For example, as a regular issue in the public repository. If in doubt, report the issue privately.
Try to include as many of the following items as possible in a security report:
- An explanation of the problem
- A proof of concept exploit
- A suggested severity
- Relevant CWE identifiers
- The latest affected version
- The earliest affected version
- A suggested patch
- An automated regression test
ID | Date | Affected version(s) | Patched version(s) |
---|---|---|---|
- | - | - | - |
We would like to publicly thank the following reporters:
- None yet