Only the latest stable release of the PassiveIntent SDK receives security fixes. Please upgrade to the latest version before reporting a vulnerability.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Do NOT open a public GitHub issue for security vulnerabilities.
A public issue immediately discloses the flaw to every user of the repository — including potential attackers — before a fix is available. We ask you to follow a responsible disclosure process instead.
Send an email to:
Please include all of the following in your report:
- Description — A clear explanation of the vulnerability and its potential impact.
- Affected versions — Which SDK version(s) are affected.
- Proof of concept — A minimal, self-contained script or set of steps that reliably demonstrates the issue.
- Environment details — Browser/runtime version, OS, and any other relevant context.
- Suggested fix (optional) — If you have a proposed remediation, we welcome it.
Encrypt sensitive details using our PGP public key if you prefer (key available on request).
| Timeline | Action |
|---|---|
| Within 48 h | We acknowledge receipt of your report. |
| Within 7 days | We provide an initial assessment and severity rating (CVSS score). |
| Within 90 days | We aim to release a patch and publish a CVE (if applicable). We will keep you updated throughout. |
We will coordinate the public disclosure date with you. If you require more time before public disclosure (e.g., for your own advisory), please say so in your report.
We do not currently operate a paid bug bounty program. We do, however, credit all reporters (with your permission) in the release notes and security advisory for the fix.
The following are in scope for security reports:
- The
@passiveintent/coreand@passiveintent/reactnpm packages (src/) - The public SDK API surface (
IntentManager, adapters, configuration) - Data leakage or privacy violations stemming from SDK behaviour
The following are out of scope:
- Vulnerabilities in third-party dependencies (please report those upstream)
- Issues in the sandbox/demo app (
sandbox/) that do not affect SDK consumers - Social engineering or phishing attacks
- Denial-of-service attacks that require an authenticated position
We follow the Google Project Zero 90-day disclosure policy. If a patch cannot be delivered within 90 days, we will publish a mitigation advisory and negotiate an extension with the reporter.
We thank the following researchers for responsible disclosures:
(No disclosures yet — be the first!)