Responsible disclosure guidelines for security vulnerabilities in SIGIL.
Do NOT file public issues for security vulnerabilities.
Public disclosure of security vulnerabilities puts all SIGIL users at risk. Instead, follow our responsible disclosure process.
Send your report to: security@sigil.sh
PGP Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Sigil Security v1.0
[Full PGP key would be here in production]
-----END PGP PUBLIC KEY BLOCK-----
π‘ Tip: Encrypt sensitive reports with our PGP key to protect vulnerability details during transmission.
- Go to GitHub Security Advisory
- Click "Report a vulnerability"
- Fill in the form with details
- GitHub will privately share the report with maintainers
Your report should include:
- Description: What is the vulnerability?
- Impact: What is the security impact?
- Reproduction: Steps to reproduce the issue
- Proof of Concept: Code or commands demonstrating the vulnerability
- Suggested Fix: (Optional) How you think it should be fixed
- Affected Versions: Which versions are affected?
| Stage | Timeline |
|---|---|
| Receipt | Within 48 hours |
| Initial Assessment | Within 7 days |
| Detailed Analysis | Within 14 days |
| Fix Development | Based on severity |
| Public Disclosure | After fix is released |
We classify vulnerabilities using CVSS v3.1:
| Severity | CVSS Score | Response Time |
|---|---|---|
| Critical | 9.0-10.0 | Immediate (within 48 hours) |
| High | 7.0-8.9 | Within 7 days |
| Medium | 4.0-6.9 | Within 30 days |
| Low | 0.1-3.9 | Next release |
- Receipt: We acknowledge your report within 48 hours
- Validation: We reproduce and validate the vulnerability
- Fix Development: We develop a fix (timeline depends on severity)
- Coordination: We coordinate release with you
- Public Disclosure: We publish the advisory after the fix is released
- We'll work with you to set a disclosure date
- You'll be credited in the advisory (unless you prefer to remain anonymous)
- We'll publish the advisory after the fix is available
SIGIL commits to:
- No legal action against researchers who follow this policy
- Credit for valid vulnerability reports
- Communication throughout the disclosure process
- Protection of your identity (if requested)
- β Don't file public issues for security vulnerabilities
- β Don't disclose vulnerabilities publicly before coordination
- β Don't exploit vulnerabilities for any purpose other than testing
- β Don't access or modify user data without permission
SIGIL does not currently offer a bug bounty program. However, we recognize valuable security research through:
- Credits in security advisories
- Acknowledgments in release notes
- Invitations to contribute to security improvements
For general security questions (not vulnerability reports):
- Email: security@sigil.sh
- Discussions: GitHub Security Discussions
β οΈ Warning: For vulnerability reports, use the private reporting methods above. Do not use public discussions.
- Contributing Guide β Development practices
- Security Best Practices β How SIGIL protects secrets
- Audit Log β SIGIL's internal security logging
SIGIL maintains an audit log of all secret access attempts. This log is:
- Append-only: Cannot be modified or deleted
- Encrypted: Protected at rest
- Tamper-evident: Hash chain ensures integrity
- Monitored: Alerts on suspicious activity
π‘ Tip: Regular review of the audit log (
~/.sigil/vault/audit.jsonl) is recommended for security-sensitive deployments.
Security researchers help make SIGIL safer for everyone. We appreciate your responsible disclosure!