Security Policy

Audience: users, researchers, contributors. This page describes how to report a security vulnerability in Sucrose responsibly. The project follows coordinated (responsible) disclosure: report privately by email, do not disclose publicly until a fix has shipped, and the team keeps your report confidential. The authoritative source is .github/SECURITY.md.

How to report a vulnerability

Report security issues privately by email to:

taiizor@vegalya.com

Do not open a public GitHub issue, pull request, or Discussion for a security vulnerability — public disclosure before a fix is available puts users at risk. Email is the dedicated, confidential channel for security reports.

What to include in your report

To help the maintainer reproduce and fix the issue quickly, include:

A descriptive subject line identifying it as a security report.
The affected file and line (optional, but helpful).
Exploit details — how the vulnerability can be triggered and what its impact is.
Your name or alias for acknowledgment (optional).

Disclosure policy

Confidentiality. The team keeps all security reports confidential while a fix is being prepared.
Coordinated disclosure. Please do not disclose the issue publicly until it has been fixed.
Announcement after the fix. The team announces the vulnerability after the fix ships in a new version, so users have a patched release available before details are public.

Sucrose uses a date-based version scheme (yy.MM.dd(.0)); a security fix is delivered as a normal new release through the usual channels (see Updating Sucrose and Installation).

What not to do

Do not file a public issue, PR, or Discussion describing the vulnerability.
Do not publish proof-of-concept exploits, write-ups, or details before the fix is released.
Do not test against other users' machines or any infrastructure you do not own.

Related privacy & telemetry notes

Security and privacy are tracked separately. Sucrose's optional, opt-in telemetry and crash-reporting behavior — what is collected, where it is sent, and how to disable it — is documented on Privacy & Telemetry. One item of note covered there: the optional PersonalAccessToken setting is stored in plaintext JSON under %AppData%\Sucrose\. That is a privacy/handling note rather than a reported vulnerability; treat the token like any other secret.

For general support that is not security-sensitive, use the public channels in Getting Help.

Uh oh!

Security Policy

Security Policy

Contents

How to report a vulnerability

What to include in your report

Disclosure policy

What not to do

Related privacy & telemetry notes

See also

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!