Skip to content

Security: jjrdk/opencertserver

SECURITY.md

Security Policy

Supported Versions

Currently, only the latest stable release of OpenCertServer is supported with security updates.

Version Supported Security Updates
v1.0 (Current)
< v1.0

Reporting a Vulnerability

Please do not report security vulnerabilities via public GitHub issues. Publicly disclosing a vulnerability before a patch is available puts all users of the software at risk.

If you discover a potential security vulnerability in OpenCertServer, please report it privately to the maintainers.

How to Report

  1. Send a message to the GitHub maintainers.
  2. Include a detailed description of the vulnerability.
  3. Provide a minimal reproducible example (PoC) if possible.
  4. Specify the version(s) of the software affected.

Disclosure Policy

OpenCertServer follows the principle of Coordinated Vulnerability Disclosure. Our goal is to resolve security issues as quickly as possible while ensuring that users are protected.

  1. Private Notification: Once a report is received, we will acknowledge receipt within 3-5 business days.
  2. Triage and Fix: We will work to verify the issue and develop a patch. You will be kept informed of our progress.
  3. Public Disclosure: After a fix has been released and users are encouraged to update, we will coordinate with you to publish the details of the vulnerability (e.g., via a CVE or a security advisory).

We request that you do not disclose the vulnerability publicly until a patch is available and coordinated disclosure has occurred.

Acknowledgments

We value the help of the security community. Researchers who report vulnerabilities that lead to a fix will be credited in our release notes and/or a dedicated SECURITY_CREDITS.md file, provided they consent to being named.

There aren't any published security advisories