Skip to content

Security: P3consultingtech/afm

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you discover a security vulnerability in AFM, please report it privately.

Do not open a public GitHub issue.

How to report

Email: security@p3consulting.tech

Optional: encrypt your report with our PGP key (available on request).

What to include

  • A clear description of the vulnerability
  • Steps to reproduce (minimum: code path, request payload, expected vs actual behavior)
  • Version / commit hash of the affected code
  • Impact assessment from your perspective
  • Any proof-of-concept you have (please do not test against third-party deployments)

What to expect

We will:

  1. Acknowledge receipt within 5 business days
  2. Investigate and assess severity
  3. Publish a security advisory on GitHub Security Advisories if confirmed
  4. Credit you in the advisory, unless you prefer to stay anonymous

Note that because AFM is a reference release without active maintenance, we may not produce a patch for this repository. In that case we will:

  • Document the vulnerability and recommended mitigations in a public advisory
  • Notify known downstream consumers (community forks we are aware of) if reasonable
  • Fix it in our actively maintained commercial product if applicable

If you need a patched version for your production deployment, consider moving to a maintained fork or to Anvil MDM.

Scope

In scope for security reports:

  • Authentication and authorization flaws
  • SQL injection, XSS, CSRF, SSRF
  • Secrets exposure in logs, responses, or repository history
  • Privilege escalation between tenants
  • Insecure defaults that lead to exploitable misconfigurations

Out of scope:

  • Issues requiring physical access to a running deployment
  • Social engineering
  • Denial of service without a practical exploitation path
  • Bugs in third-party dependencies (report to upstream)
  • Known missing features (webhook sync, audit log population, rate limiting) that are documented as TODO in the README

Safe harbor

We support coordinated disclosure in good faith. If you make a reasonable effort to report privately and give us time to respond, we will not pursue legal action against you for research conducted within this policy's scope.

Thank you for helping keep the MDM ecosystem safer.

There aren't any published security advisories