|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +hashprep is currently in beta (`0.1.0bX`). Only the latest beta release on the `main` branch receives security updates. Older pre-releases are not patched — please upgrade to the newest version to pick up fixes. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ---------- | ------------------ | |
| 9 | +| `0.1.0b3` | :white_check_mark: | |
| 10 | +| `< 0.1.0b3`| :x: | |
| 11 | + |
| 12 | +Once hashprep reaches a stable `0.1.0` release, this table will be updated to reflect supported minor versions. |
| 13 | + |
| 14 | +## Reporting a Vulnerability |
| 15 | + |
| 16 | +If you believe you have found a security vulnerability in hashprep (the Python package, the CLI, or the documentation website under `web/`), **please do not open a public GitHub issue**. |
| 17 | + |
| 18 | +Instead, report it privately through one of the following channels: |
| 19 | + |
| 20 | +- **GitHub Private Vulnerability Reporting** — preferred. Open a report at <https://github.com/cachevector/hashprep/security/advisories/new>. |
| 21 | +- **Email** — `aftaab@aftaab.xyz` with the subject line `hashprep security report`. |
| 22 | + |
| 23 | +Please include as much of the following as you can: |
| 24 | + |
| 25 | +- A clear description of the issue and its impact. |
| 26 | +- The affected version(s) and component (library, CLI, website). |
| 27 | +- Steps to reproduce, a proof of concept, or a minimal failing example. |
| 28 | +- Any known mitigations or workarounds. |
| 29 | + |
| 30 | +### What to expect |
| 31 | + |
| 32 | +- **Acknowledgement:** within 72 hours of your report. |
| 33 | +- **Initial assessment:** within 7 days, including whether the report is accepted, needs more information, or is declined (with reasoning). |
| 34 | +- **Fix and disclosure:** for accepted reports, we will work on a fix, prepare a patched release, and coordinate a disclosure timeline with you. Reporters will be credited in the advisory unless they prefer to remain anonymous. |
| 35 | + |
| 36 | +### Scope |
| 37 | + |
| 38 | +In scope: |
| 39 | + |
| 40 | +- The `hashprep` Python package and CLI. |
| 41 | +- The documentation site in `web/`. |
| 42 | +- Build, packaging, and release tooling in this repository. |
| 43 | + |
| 44 | +Out of scope: |
| 45 | + |
| 46 | +- Vulnerabilities in third-party dependencies — please report those upstream. If a dependency issue affects hashprep users, we still appreciate a heads-up so we can bump the pinned version. |
| 47 | +- Issues that require physical access to a user's machine or already-compromised environments. |
| 48 | +- Denial of service caused by passing intentionally malformed datasets far outside the documented usage (e.g., multi-TB crafted inputs on a laptop). |
0 commit comments