Skip to content

Security: kevinpinscoe/dotfiles

Security

Report a vulnerability

SECURITY.md

Security Policy

Thank you for helping keep these projects and their users safe. This policy applies to the open-source projects maintained by Kevin P. Inscoe. Where a project has its own SECURITY.md, that project's policy takes precedence.

Supported Versions

Security fixes generally target the latest released version and the current default branch. Older releases may not receive security updates. A project's own SECURITY.md may define a different support policy.

Reporting a Vulnerability

Do not report security vulnerabilities through public issues, pull requests, or discussions. Public disclosure before a fix is available puts users at risk.

Use one of these private channels instead:

  1. GitHub Private Vulnerability Reporting (preferred). On the affected repository, go to the Security tab and click "Report a vulnerability" if that option is available. This opens a private, tracked report visible only to the maintainer.
  2. Email (fallback). Send the details to kevin.inscoe@gmail.com.

What to Include

A good report helps the issue get fixed faster. Please include:

  • A description of the vulnerability and its potential impact.
  • The affected project, and the version or commit where you found it.
  • Step-by-step instructions to reproduce it (a minimal proof of concept is ideal).
  • Any suggested remediation, if you have one.

What to Expect

  • Acknowledgement: within 5 business days.
  • Assessment: the report will be triaged and its severity and scope confirmed.
  • Fix and coordination: the fix will be developed privately. A disclosure timeline will be coordinated with you before any public release.
  • Credit: with your permission, you will be credited when the fix is published. Let me know if you prefer to remain anonymous.

Scope

This policy covers the source code and released artifacts of the projects it applies to. It does not cover:

  • Vulnerabilities in third-party dependencies — report those to the upstream project (a heads-up here is still welcome).
  • Issues that require physical access to a user's machine or already-compromised credentials.

Questions

For non-sensitive questions about this policy, open a regular issue or email kevin.inscoe@gmail.com.

There aren't any published security advisories