Security Policy
We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions. Table of Contents
Reporting a Vulnerability
What to Include
Response Timeline
Disclosure Policy
Scope
Safe Harbour
Recognition
Security Updates
Security Best Practices
Reporting a Vulnerability Preferred Method: GitHub Security Advisories
The preferred method for reporting security vulnerabilities is through GitHub's Security Advisory feature:
Navigate to Report a Vulnerability
Click "Report a vulnerability"
Complete the form with as much detail as possible
Submit — we'll receive a private notification
This method ensures:
End-to-end encryption of your report
Private discussion space for collaboration
Coordinated disclosure tooling
Automatic credit when the advisory is published
Alternative: Encrypted Email
If you cannot use GitHub Security Advisories, you may email us directly:
Email security@hyperpolymath.org PGP Key Download Public Key Fingerprint See GPG key
curl -sSL https://hyperpolymath.org/gpg/security.asc | gpg --import
gpg --fingerprint security@hyperpolymath.org
gpg --armor --encrypt --recipient security@hyperpolymath.org report.txt
⚠️ Important: Do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.
What to Include
A good vulnerability report helps us understand and reproduce the issue quickly. Required Information
Description: Clear explanation of the vulnerability
Impact: What an attacker could achieve (confidentiality, integrity, availability)
Affected versions: Which versions/commits are affected
Reproduction steps: Detailed steps to reproduce the issue
Helpful Additional Information
Proof of concept: Code, scripts, or screenshots demonstrating the vulnerability
Attack scenario: Realistic attack scenario showing exploitability
CVSS score: Your assessment of severity (use CVSS 3.1 Calculator)
CWE ID: Common Weakness Enumeration identifier if known
Suggested fix: If you have ideas for remediation
References: Links to related vulnerabilities, research, or advisories
Example Report Structure
[One-sentence description of the vulnerability]
[e.g., SQL Injection, XSS, SSRF, Path Traversal, etc.]
[File path, function name, API endpoint, etc.]
[Version range or specific commits]
- CVSS 3.1 Score: [X.X]
- CVSS Vector: [CVSS:3.1/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X]
[Detailed technical description]
- [First step]
- [Second step]
- [...]
[Code, curl commands, screenshots, etc.]
[What can an attacker achieve?]
[Optional: your ideas for fixing]
[Links to related issues, CVEs, research]
Response Timeline
We commit to the following response times: Stage Timeframe Description Initial Response 48 hours We acknowledge receipt and confirm we're investigating Triage 7 days We assess severity, confirm the vulnerability, and estimate timeline Status Update Every 7 days Regular updates on remediation progress Resolution 90 days Target for fix development and release (complex issues may take longer) Disclosure 90 days Public disclosure after fix is available (coordinated with you)
Note: These are targets, not guarantees. Complex vulnerabilities may require more time. We'll communicate openly about any delays.
Disclosure Policy
We follow coordinated disclosure (also known as responsible disclosure):
You report the vulnerability privately
We acknowledge and begin investigation
We develop a fix and prepare a release
We coordinate disclosure timing with you
We publish security advisory and fix simultaneously
You may publish your research after disclosure
Our Commitments
We will not take legal action against researchers who follow this policy
We will work with you to understand and resolve the issue
We will credit you in the security advisory (unless you prefer anonymity)
We will notify you before public disclosure
We will publish advisories with sufficient detail for users to assess risk
Your Commitments
Report vulnerabilities promptly after discovery
Give us reasonable time to address the issue before disclosure
Do not access, modify, or delete data beyond what's necessary to demonstrate the vulnerability
Do not degrade service availability (no DoS testing on production)
Do not share vulnerability details with others until coordinated disclosure
Disclosure Timeline
Day 0 You report vulnerability Day 1-2 We acknowledge receipt Day 7 We confirm vulnerability and share initial assessment Day 7-90 We develop and test fix Day 90 Coordinated public disclosure (earlier if fix is ready; later by mutual agreement)
If we cannot reach agreement on disclosure timing, we default to 90 days from your initial report. Scope In Scope ✅
The following are within scope for security research:
This repository (hyperpolymath/terrapin-ssg) and all its code
Official releases and packages published from this repository
Documentation that could lead to security issues
Build and deployment configurations in this repository
Dependencies (report here, we'll coordinate with upstream)
Out of Scope ❌
The following are not in scope:
Third-party services we integrate with (report directly to them)
Social engineering attacks against maintainers
Physical security
Denial of service attacks against production infrastructure
Spam, phishing, or other non-technical attacks
Issues already reported or publicly known
Theoretical vulnerabilities without proof of concept
Qualifying Vulnerabilities
We're particularly interested in:
Remote code execution
SQL injection, command injection, code injection
Authentication/authorisation bypass
Cross-site scripting (XSS) and cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
Path traversal / local file inclusion
Information disclosure (credentials, PII, secrets)
Cryptographic weaknesses
Deserialisation vulnerabilities
Memory safety issues (buffer overflows, use-after-free, etc.)
Supply chain vulnerabilities (dependency confusion, etc.)
Significant logic flaws
Non-Qualifying Issues
The following generally do not qualify as security vulnerabilities:
Missing security headers on non-sensitive pages
Clickjacking on pages without sensitive actions
Self-XSS (requires victim to paste code)
Missing rate limiting (unless it enables a specific attack)
Username/email enumeration (unless high-risk context)
Missing cookie flags on non-sensitive cookies
Software version disclosure
Verbose error messages (unless exposing secrets)
Best practice deviations without demonstrable impact
Safe Harbour
We support security research conducted in good faith. Our Promise
If you conduct security research in accordance with this policy:
✅ We will not initiate legal action against you
✅ We will not report your activity to law enforcement
✅ We will work with you in good faith to resolve issues
✅ We consider your research authorised under the Computer Fraud and Abuse Act (CFAA), UK Computer Misuse Act, and similar laws
✅ We waive any potential claim against you for circumvention of security controls
Good Faith Requirements
To qualify for safe harbour, you must:
Comply with this security policy
Report vulnerabilities promptly
Avoid privacy violations (do not access others' data)
Avoid service degradation (no destructive testing)
Not exploit vulnerabilities beyond proof-of-concept
Not use vulnerabilities for profit (beyond bug bounties where offered)
⚠️ Important: This safe harbour does not extend to third-party systems. Always check their policies before testing.
Recognition
We believe in recognising security researchers who help us improve. Hall of Fame
Researchers who report valid vulnerabilities will be acknowledged in our Security Acknowledgments (unless they prefer anonymity).
Recognition includes:
Your name (or chosen alias)
Link to your website/profile (optional)
Brief description of the vulnerability class
Date of report
What We Offer
✅ Public credit in security advisories
✅ Acknowledgment in release notes
✅ Entry in our Hall of Fame
✅ Reference/recommendation letter upon request (for significant findings)
What We Don't Currently Offer
❌ Monetary bug bounties
❌ Hardware or swag
❌ Paid security research contracts
Note: We're a community project with limited resources. Your contributions help everyone who uses this software.
Security Updates Receiving Updates
To stay informed about security updates:
Watch this repository: Click "Watch" → "Custom" → Select "Security alerts"
GitHub Security Advisories: Published at Security Advisories
Release notes: Security fixes noted in CHANGELOG
Update Policy Severity Response Critical/High Patch release as soon as fix is ready Medium Included in next scheduled release (or earlier) Low Included in next scheduled release Supported Versions Version Supported Notes main branch ✅ Yes Latest development Latest release ✅ Yes Current stable Previous minor release ✅ Yes Security fixes backported Older versions ❌ No Please upgrade Security Best Practices
When using terrapin-ssg, we recommend: General
Keep dependencies up to date
Use the latest stable release
Subscribe to security notifications
Review configuration against security documentation
Follow principle of least privilege
For Contributors
Never commit secrets, credentials, or API keys
Use signed commits (git config commit.gpgsign true)
Review dependencies before adding them
Run security linters locally before pushing
Report any concerns about existing code
Additional Resources
Our PGP Public Key
Security Advisories
Changelog
Contributing Guidelines
CVE Database
CVSS Calculator
Contact Purpose Contact Security issues Report via GitHub or security@hyperpolymath.org General questions GitHub Discussions Other enquiries See README for contact information Policy Changes
This security policy may be updated from time to time. Significant changes will be:
Committed to this repository with a clear commit message
Noted in the changelog
Announced via GitHub Discussions (for major changes)
Thank you for helping keep terrapin-ssg and its users safe.