Macaron Canary is currently in the initial development stage and has not hit version 1.0.0 yet. Please be aware of this while using Macaron Canary whether the website, macaron API, etc. Any and all security vulnerabilities brought up to attention will be addressd alongside throughout the development process prior to hitting the first stable release where the supported version section of this policy will be updated to reflect the change.
| Version | Supported |
|---|---|
| < 1.0 | ✅ |
If you have discovered a vulnerability you may voluntarily report it to security@macaroncanary.com with an e-mail that is easily reachable using the following template as a suggestion:
Name (Optional: Pronouns): [Your name, optionally also your pronouns]
GitHub (Optional): [Your GitHub]
Title: [e.g. VULN at LOCATION via METHOD]
Description: [Expand on the title with more details on the vulnerability,
how the vulnerability occurred]
Reproduce: [Supporting material on how to reproduce including code, tools
and/or commands used, etc.]
Impact: [Severity here with justification why]
Comments (Optional): [Any recommendations, comments, questions, etc.]
All reported vulnerabilities provided in this method will receive a response, whether accepted or not, within 48 hours. If rejected an explanation will be provided. If accepted, a draft security advisory will be opened on GitHub. If you provided a GitHub username in the report it will be added to the new security advisory where you may further discuss and/or be involved with the fix to the vulnerability if you wish to.
The Macaron Canary project cannot currently provide monetary compensation and understand vulnerabilities may be disclosed publicly without prior notification to the project. However it would be highly appreciated if there were a few days notice prior to a public disclosure at security@macaroncanary.com so a fix could be started and/or completed by the time of the bug(s) made public.