Security is a shared responsibility.
If you find a vulnerability, please report it privately and avoid public disclosure until a fix is coordinated.

Do not open public issues for security vulnerabilities.

Use one of these channels:

• Email: jheison.mb@gmail.com
• GitHub Security Advisory (preferred for repository-specific vulnerabilities)

Recommended report contents:

• Affected project and version
• Reproduction steps
• Impact and threat model
• Proof of concept (if safe)
• Suggested remediation (optional)

We may adjust timelines when exploit complexity or ecosystem impact requires it.

• Minimize dependencies to reduce attack surface
• Prefer memory-safe defaults (Rust where practical)
• Keep systems reproducible and auditable
• Use vetted crypto primitives and libraries
• Avoid secret leakage in code, logs, and artifacts

✅ Do:

• Validate and sanitize input
• Use parameterized queries and safe serializers
• Enforce TLS for remote communication
• Audit dependencies regularly:
  • cargo audit
  • npm audit
  • pip-audit
• Keep CI checks for linting, tests, and known-vuln scanning

❌ Do not:

• Hardcode tokens/passwords
• Trust unvalidated user input
• Log secrets or private keys
• Bypass critical checks in release workflows

Responsible research is welcome.

Rules:

• Do not access unrelated private data
• Do not disrupt service availability
• Coordinate disclosure before publishing details

For planned audits, contact maintainers first to align scope and timeline.

• Critical patches are prioritized immediately
• Security fixes are documented in changelogs/advisories
• Breaking changes for security may be introduced when necessary

Supported target: latest maintained stable versions of each project.

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• RustSec / cargo-audit: https://rustsec.org/
• npm audit docs: https://docs.npmjs.com/cli/v8/commands/npm-audit
• NVD/CVSS: https://nvd.nist.gov/

Build fast, disclose responsibly, fix decisively.