Repositories under the sightmap organization may have their own SECURITY.md with details specific to that codebase. Where one is present, it takes precedence over this default.
Please do not open a public GitHub issue for security reports.
Email: subtext@fullstory.com
Include:
- A clear description of the issue
- Steps to reproduce, or a proof of concept
- The affected repository, version, or commit SHA
- Your assessment of impact
- Whether you would like to be credited, and if so how
We will acknowledge receipt within 3 business days and aim to provide a substantive response within 10 business days.
- You report privately via email.
- We confirm the issue and determine scope.
- We develop and test a fix on a private branch.
- We coordinate a disclosure date with you. For most issues we aim to disclose within 30 days of confirmation.
- We release the fix, publish an advisory on GitHub, and credit you if you'd like.
If an issue is being actively exploited, we may shorten this timeline.
In-scope: any repository under the sightmap GitHub organization maintained by the Subtext team.
Out-of-scope:
- Third-party integrations, SDKs, or tools that consume sightmaps but are not maintained by the Subtext team
- Any Subtext commercial product — those have their own security process; see subtext.fullstory.com
We will not pursue legal action against security researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of services
- Only interact with accounts they own or with explicit permission from the account holder
- Give us reasonable time to investigate and fix the issue before public disclosure
- Do not exploit the issue beyond what is necessary to demonstrate it