Security is a priority for Sync-in, and we welcome responsible disclosure of vulnerabilities.
This policy applies to all Sync-in maintained codebases.
If you discover a potential vulnerability, report it privately via GitHub:
- Use the "Report a vulnerability" feature (GitHub Security Advisories)
Do not open a public issue or discussion.
Do not assign or request a CVE directly. CVE assignment, if applicable, will be handled as part of the responsible disclosure process.
Please include:
- Description of the issue
- Steps to reproduce (if applicable)
- Potential impact
- Relevant logs or proof of concept
You agree to:
- Keep the issue confidential until a fix is available
- Avoid accessing or modifying data that is not yours
- Test only within reasonable limits
- Reports are reviewed and validated
- Fixes are developed as appropriate
- Disclosure may be coordinated when relevant
Sync-in only accepts vulnerability reports submitted through GitHub Security Advisories.
Reports sent through other channels (including public issues or discussions) may be ignored.
The following are generally not considered security vulnerabilities:
- Issues requiring unrealistic user interaction
- Denial of service through excessive resource usage without bypassing protections
- Misconfigurations in user-managed deployments