HumbleBee is a local-first work time tracker. Security reports are welcome and should be handled privately first so users have time to update before details are public.

HumbleBee is pre-1.0 software. Security fixes are provided for the latest released version and the current main branch on a best-effort basis.

Older versions may not receive backported fixes unless the issue is severe and a backport is practical.

Please do not report suspected vulnerabilities through public GitHub issues.

Use GitHub private vulnerability reporting:

https://github.com/grobmeier/humblebee/security/advisories/new

Include as much of the following as you can:

• Affected HumbleBee version or commit.
• Operating system and installation method.
• Steps to reproduce.
• Expected and actual impact.
• Whether the issue requires local access, a malicious import file, or another precondition.
• Any logs, crash output, or proof-of-concept files that are safe to share privately.

The project aims to:

• Acknowledge new security reports within 7 days.
• Assess severity and affected versions within 30 days.
• Coordinate fixes privately before public disclosure when user risk justifies it.
• Publish a security advisory for confirmed vulnerabilities that affect released versions.
• Credit reporters unless they prefer to remain anonymous.

Timelines may vary for volunteer-maintained releases, but severe issues that can affect user data will be prioritized.

Security updates are distributed through normal HumbleBee releases. Users should install the newest release from GitHub Releases, Homebrew, or Scoop.

Release artifacts include checksums. GitHub Actions also generates a machine-readable CycloneDX SBOM for dependency review and release evidence. Published releases include the SBOM as a versioned release asset, for example HumbleBee_v0.2.1_sbom.cdx.json.

In scope:

• Vulnerabilities in the HumbleBee CLI or GUI.
• Issues that can corrupt, disclose, or unexpectedly modify local time tracking data.
• Unsafe handling of imported Time & Bill exports or local database files.
• Build, packaging, or release-process weaknesses that could affect distributed artifacts.

Out of scope:

• Issues that require full control of the user's local account or machine and do not increase impact.
• Vulnerabilities only in unsupported operating systems or obsolete HumbleBee versions.
• Reports without enough detail to reproduce or assess risk.

Dependency updates are tracked with Dependabot for Go modules, frontend npm packages, and GitHub Actions. SBOM files are generated by GitHub Actions in CycloneDX JSON format.

The release SBOM is a release-level SBOM for the HumbleBee source tree and covers the CLI and GUI dependency manifests used to build the release. Separate artifact-specific SBOMs can be introduced later if the CLI and GUI release packages need independent supply-chain evidence.