I take the security of Borgitory seriously. If you discover a security vulnerability, please follow these steps:
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Email: Send details to [matt@mattlapaglia.com].
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature at https://github.com/mlapaglia/Borgitory/security/advisories/new
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: I will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: I will provide an initial assessment within 5 business days
- Updates: I will keep you informed about our progress toward a fix
- Disclosure: Once a fix is available, I will coordinate disclosure timing with you
- I follow responsible disclosure practices
- Security researchers will be credited in release notes (unless anonymity is requested)
- CVE IDs will be requested for confirmed vulnerabilities
- Public disclosure occurs after fixes are available
- For general security questions or concerns, please open a GitHub issue (for non-vulnerability discussions) or contact [matt@mattlapaglia.com].