If you discover a security vulnerability in SignalCraft, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email the maintainer directly:
- sanprat — sanprat on GitHub
Include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement: within 48 hours
- Initial assessment: within 5 business days
- Fix or mitigation: prioritised based on severity
The following are in scope:
- Authentication and session management flaws
- SQL injection, XSS, SSRF, or other injection attacks
- Broken access control or privilege escalation
- Secrets exposure via logs, error messages, or API responses
- Insecure default configurations
- Denial of service attacks
- Social engineering
- Issues in third-party dependencies (report upstream)
| Version | Supported |
|---|---|
Latest main |
✅ |
| Older releases | ❌ |
See the README for environment variable guidance and deployment hardening.