Security Risk Advisors (SRA) takes security bugs in our software seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

We have enabled private vulnerability reporting for all of our repos, you can go to the Security tab and start the process there.

If you wish, you can also report an issue to us via email -- email our team at security@sra.io .

SRA will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

If you would prefer to use Signal or another E2EE messaging platform, please let us know in the initial email and we can try to accommodate.

Report security bugs in third-party products and scripts to the person or team maintaining the module, although we can typically assist in forwarding you to the correct person.

We follow a 90-day disclosure timeline. Indicated times may run longer in certain circumstances. Our goal is to maintain contact and work collaboratively to resolve, credit and disclose the issue.

1. Initial Contact (3 business days) - We will respond to you as soon as possible to confirm receipt of the report and coordinate an alternate communications method (e.g. Signal) if requested.

2. Confirming the issue (1 week) - We will review your report and will work with you to confirm the vulnerability and impact. If needed, we will coordinate with you to open a CVE. In the case we cannot verify the issue, or consider the issue invalid, we will let you know.

3. Identifying and implementing a fix (1 week - 8 weeks)- Our team will identify a fix for the problem and a timeline to remediate. We will provide the timeline to you. In the case we cannot meet the 90 day disclosure due to remediation dependencies or other extenuating circumstances we will work with you to establish a new disclosure timeline.

4. Reviewing the fix (1 week)- We will release a fix on a private branch and have you confirm the issue is remediated. Once confirmed we'll publically release the fix.

5. Coordinated disclosure - We will coordinate with you for disclosure of the vulnerability, ensuring you get attribution for the find.