If you believe you’ve found a security vulnerability in sshman, please report it privately and responsibly. Do not open a public GitHub issue for security reports.

Preferred channels:

• GitHub Security Advisory (recommended):
  1. Go to the sshman repository.
  2. Click on the Security tab.
  3. Click “Report a vulnerability” and fill out the form.

To help me triage and fix the issue quickly, please include where possible:

• The version/commit of sshman you tested.
• Your OS / environment (e.g. Linux distro, version).
• A clear description of the issue and impact.
• Steps to reproduce and, if possible, a minimal PoC.
• Any suggested mitigations or fixes (optional).

• I aim to acknowledge your report within 3 business days.
• I will investigate and provide an initial assessment within 10 business days, or let you know if more time is needed.
• If the report is accepted as a vulnerability:
  • I will work on a fix and, where appropriate, create a GitHub Security Advisory so we can coordinate privately until a patched release is available.
  • You will be credited in the advisory and/or release notes if you wish, or remain anonymous if you prefer.
• If the report is not considered a security vulnerability (e.g. it’s a regular bug or expected behavior), I’ll explain why and, where appropriate, direct it to the normal issue/bug process.

Please give me a reasonable amount of time to develop and release a fix before you disclose details publicly. I generally aim to release fixes as soon as practical, and no later than 90 days from confirmation, unless we mutually agree otherwise.

Thank you for helping keep sshman and its users secure.