Skip to content

Security: xuhuanstudio/ConsoleDock

SECURITY.md

Security Policy

ConsoleDock is a debug SDK. Logs may contain sensitive data, so privacy and Release-build safeguards are part of the security model.

Supported Versions

ConsoleDock has published a v0.x public preview, but has not reached a stable 1.0 release yet. Security handling is best effort for the latest public v0.x tag and active development on main.

Version Security support
Latest public v0.x tag Best-effort fixes for security-relevant debug SDK behavior.
main Active development; use for verification, not as a supported release line.
Older pre-release commits Not supported unless the issue also affects the latest public tag or main.

Reporting a Vulnerability

Use GitHub private vulnerability reporting when it is enabled for the repository.

If private vulnerability reporting is not available yet, open a minimal public issue titled Security report coordination and ask maintainers to establish a private channel. Do not include exploit details, proof-of-concept code, private screenshots, production logs, credentials, tokens, cookies, API keys, customer data, or other secrets in that public issue.

When reporting privately, include:

  • affected ConsoleDock version or commit;
  • whether the issue affects Debug, Release, or both;
  • minimal reproduction steps using synthetic data;
  • expected impact for testers or app developers;
  • whether sensitive data, copy/share/export, Release activation, or descriptor capture is involved.

Security-relevant reports include:

  • accidental Release-build activation;
  • unsafe copy, share, export, or persistence behavior;
  • missing or bypassed redaction for obvious secrets;
  • behavior that exposes logs from other apps or processes;
  • use of private APIs.

Handling Expectations

Maintainers should acknowledge private reports before discussing details publicly. Public disclosure should wait until a fix, mitigation, or clear non-issue determination is available.

For debug-log privacy guidance, see Privacy and redaction. For Release safeguards, see Release build safety.

Project Boundaries

ConsoleDock does not provide remote telemetry, does not read logs from other processes, and must not be described as a full unified logging reader.

There aren't any published security advisories