This is an open-source research / reference project. At this stage:
- The main branch is the only actively maintained line.
- There are no formal long-term support (LTS) branches.
If you are running a fork in production, you are responsible for tracking upstream changes and applying security fixes.
If you believe you’ve found a security issue in EdgeCheck or its reference diag endpoints:
- Do not open a public GitHub issue with exploit details.
- Instead, send a private report to the project maintainer (for example via the contact details in the repository’s hosting platform profile or project website).
- Include:
- A clear description of the issue and potential impact.
- Minimal steps to reproduce (code snippet, configuration, or request/response).
- Any logs or screenshots that help (with secrets redacted).
You can expect:
- An acknowledgment of receipt within a reasonable timeframe.
- Follow-up questions to help reproduce and assess impact.
- Coordination on disclosure timing if the issue is confirmed.
This policy covers:
- The EdgeCheck core packages under
packages/*. - The reference diag endpoints under
deploy/diag-*. - The example Next.js UI under
examples/nextjs(only insofar as it exposes security-sensitive behavior of the core or diag).
Third-party dependencies are out of scope except where EdgeCheck uses them incorrectly in a way that introduces a vulnerability.
EdgeCheck is not:
- A replacement for a full network security stack.
- A guarantee of compromise or VPN/proxy detection.
Findings are best-effort heuristics built on top of browser-safe APIs and public network metadata.