The ObsFind team takes security vulnerabilities seriously. We appreciate your efforts to disclose your findings responsibly and will make every effort to acknowledge your contributions.
To report a security vulnerability, please follow these steps:
-
Do not disclose the vulnerability publicly
- Please do not create a public GitHub issue for security vulnerabilities
-
Email the security team
- Send your findings to: security@example.com
- Use a descriptive subject line, e.g., "Security Vulnerability in ObsFind: XSS in Search Results"
-
Include detailed information
- ObsFind version affected
- Detailed steps to reproduce
- Potential impact of the vulnerability
- Any potential mitigations you've identified
- Initial Response: We aim to acknowledge receipt of your vulnerability report within 48 hours.
- Status Updates: We will provide regular updates (at least once a week) about our progress addressing the issue.
- Resolution Timeline: We will work diligently to fix the vulnerability and release a patch as quickly as possible, typically within 90 days.
- We follow a coordinated disclosure process:
- We will acknowledge your report and confirm the vulnerability
- We will develop and test a fix
- We will release the fix and acknowledge your contribution (unless you prefer to remain anonymous)
Security updates will be released as:
- Patch versions for the current stable release
- New minor versions for older releases if the vulnerability is severe
- Security advisories on GitHub
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We generally provide security updates only for the most recent stable release and the prior stable release series.
When deploying ObsFind in production, consider these security best practices:
- Run the daemon with minimal permissions
- Restrict network access to the daemon API
- Keep all dependencies updated
- Follow the security guidelines in the documentation
We are grateful to the security researchers who have helped improve ObsFind's security. Researchers who report vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous).