Skip to content

Security: Jason-Furr/.github

Security

SECURITY.md

Security Policy

Audience: humans

This policy applies to every repository in the Jason-Furr GitHub organization. GitHub propagates this file from the .github repository as the default for any organization repository that does not define its own.

Reporting a vulnerability

If you believe you have discovered a security vulnerability in any repository under the Jason-Furr organization, please report it privately. Do not open a public issue describing the vulnerability, and do not discuss the vulnerability publicly until it has been acknowledged and addressed.

Reporting channels, in order of preference:

  1. Private security advisory. GitHub's "Report a vulnerability" feature on the affected repository creates a private advisory visible only to the maintainer and to GitHub's security team. This is the preferred channel.
  2. Email. A direct email to security@jasonfurr.com (this address may be configured as an alias to the maintainer's personal address). Use a clear subject line that identifies the affected repository.

Include in your report:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce.
  • The affected repository and, where applicable, version or commit.
  • Your name and contact information (optional, for credit).

What to expect

  • Acknowledgment of your report within 5 business days.
  • An assessment of the issue and a proposed remediation timeline within 14 days of acknowledgment.
  • Coordinated disclosure once a fix has shipped: the vulnerability is documented in the repository's CHANGELOG.md, with the reporter credited if they consented.

Scope

In scope:

  • Code in any repository under the Jason-Furr GitHub organization.
  • Distributed binaries, packages, and game builds shipping under the Jason Furr name.

Out of scope:

  • Third-party dependencies (report those upstream).
  • Issues in the user's own environment, network, or device.
  • Social engineering of maintainers or users.
  • Theoretical vulnerabilities without demonstrable impact.

Safe-harbor statement

Good-faith security research is welcomed. As long as a report follows this policy and respects user privacy, the maintainer will not pursue legal action against the reporter. Activities that disrupt service, exfiltrate user data, or violate applicable law are not protected.

There aren't any published security advisories