We treat security fixes on the default branch of krabresearch/Doop (main or whatever GitHub marks default). Older tags or forks may not get backports unless maintainers agree.

Do not open a public issue for an undisclosed vulnerability.

Preferred: GitHub private vulnerability reporting for this repository (when enabled for the org).

Include:

• Short impact summary
• Reproduction steps (safe PoC if possible)
• Affected commit SHA or version if known

We try to acknowledge within a few business days and coordinate disclosure after a fix.

This policy covers this repository, its Vite/TypeScript app, scripts, and docs. Third-party HTTP APIs and hosted services you configure at runtime are out of scope—report those to their vendors.

Doop's worker is not an arbitrary command runner. server/runner.mjs accepts POST /run, validates phaseKey against a fixed allowlist, and spawns only the reviewed argv arrays registered in that file.

Security invariants:

• No user-provided shell strings are executed.
• Request bodies are capped before parsing.
• Each phase has a hard timeout and timed-out subprocesses are killed.
• Browser-rendered trace content is escaped before it is inserted into the DOM.
• Mission data may reference phase keys, but it cannot define commands.

When adding a new phase, prefer the smallest fixed command that proves the behavior you need. Do not add general shell passthroughs.