Only the latest release on the main branch is supported with security updates.
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue.
- Use GitHub Security Advisories to report the vulnerability privately.
- Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You should receive an acknowledgement within 72 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.
This policy covers:
- The Ethstar web application (frontend and backend)
- GitHub Actions workflows in this repository
- OAuth token handling and authentication flows
Out of scope:
- Third-party services (GitHub API, Vercel infrastructure)
- Social engineering attacks
- Denial of service attacks against GitHub's API
- Dependencies are monitored by Dependabot and CodeQL
- Go code is scanned with gosec (OWASP-style checks)
- GitHub Actions are pinned to commit SHAs to prevent supply-chain attacks
- OAuth tokens use minimal scopes and short-lived expiry