We release patches for security vulnerabilities. The following versions are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Go to the Security Advisories page
- Click "New draft security advisory"
- Fill in the details
Send an email to: support@miccy.dev or create a private advisory as above.
Please include as much of the following information as possible:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (Critical: 24-48h, High: 1 week, Medium: 2 weeks)
- Acknowledgment: We'll confirm receipt of your vulnerability report
- Investigation: We'll investigate and validate the issue
- Fix Development: We'll develop a fix
- Coordinated Disclosure: We'll coordinate the public disclosure with you
- Credit: We'll credit you in the security advisory (unless you prefer anonymity)
This repository implements several security measures:
- Dependency Scanning: Automated with Dependabot
- Secret Scanning: Enabled
- Code Scanning: CodeQL analysis
- Socket.dev Integration: Supply-chain security monitoring
- Signed Commits: Required for maintainers
- Branch Protection: Enforced on main branch
- Required Reviews: All PRs require review
- CI/CD Security: Minimal permissions, no secrets in logs
- Lockfile Verification: All dependencies pinned
- Script Auditing: Install scripts disabled by default
- IOC Monitoring: Regular updates from security vendors
- Vendor Verification: All IOCs cross-referenced
- Detection scripts (false positives, false negatives)
- IOC database accuracy
- Documentation security guidance
- Configuration templates
- Repository infrastructure
- Vulnerabilities in third-party tools (Socket.dev, npm, etc.)
- Issues in packages listed in IOC database (report to npm/vendors)
- Social engineering attacks
- Physical security
When using this repository:
- Verify IOCs: Cross-reference with official vendor sources
- Review Scripts: Inspect scripts before running with elevated privileges
- Update Regularly: Pull latest IOC updates frequently
- Report Findings: Help us improve by reporting false positives/negatives
- Secure Your Credentials: Follow the remediation guide for credential rotation
We currently do not have a bug bounty program. However, we deeply appreciate security researchers who follow responsible disclosure practices and will acknowledge contributions prominently.
- Security Issues: Use GitHub Security Advisory or email
- General Questions: Open a GitHub Discussion
- X/Twitter: @miccycz
- Bluesky: @miccy-dev
- Mastodon: @miccy
- Email: support@miccy.dev
If you'd like to encrypt your security report:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Add your PGP key if you have one]
-----END PGP PUBLIC KEY BLOCK-----
We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Only interact with accounts you own or with explicit permission
- Do not exploit a vulnerability beyond what is necessary to confirm its existence
- Report the vulnerability promptly
- Keep the vulnerability confidential until we've had a reasonable time to fix it
Thank you for helping keep Don't Be Shy, Hulud and our users safe! 🛡️