If you discover a security vulnerability in brif, please do not open a public issue.
Instead:
- Email balgaly@gmail.com with a description of the vulnerability
- Include steps to reproduce if possible
- Allow reasonable time for a fix before any public disclosure
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix: Depends on severity — critical issues are prioritized
This policy covers the brif shell scripts, install scripts, and hook scripts in this repository.
- No network access beyond optional IP geolocation (HTTPS only)
- No data collection or telemetry
- Input validation on all user-supplied arguments
- File permissions enforced on session directories (chmod 700)
Security reports are taken seriously. Contributors who responsibly disclose vulnerabilities will be credited in the changelog (unless they prefer to remain anonymous).