Thank you for helping keep this project and its users safe. This document describes how to report a suspected vulnerability, which versions we support, and how we coordinate disclosure.

Please report suspected security vulnerabilities privately. Do not open a public GitHub issue for security reports.

• Email: galank@gmail.com We acknowledge new reports within 3 business days. We aim to triage and share a remediation plan within 14 days.

Security fixes are backported to the branches below. Older branches receive fixes only for high-severity issues on a best-effort basis.

Security reports are welcome for anything shipped by this repository, including:

• The application source code committed to main.
• Packaging, containers, and deployment manifests under this repo.
• Default configuration and bundled credentials/secrets in repo artifacts.

Out of scope:

• Findings about third-party dependencies that do not require a change here — please file those with the upstream project first.
• Denial-of-service that requires an attacker to already hold administrator access to the host running this software.

We prefer coordinated disclosure. Once a fix is available we publish a GitHub Security Advisory and release notes describing the impact and the upgrade path. Reporters are credited unless they request otherwise.

Every published image at ghcr.io/cliff-security/cliff is signed with Sigstore keyless OIDC and carries SLSA v1 build provenance plus a CycloneDX SBOM, all attached as transparency-log-backed attestations. The image runs as a non-root user (UID 10001). Releases are gated by a required-reviewer GitHub Environment, and every third-party GitHub Action used in release.yml is pinned to a commit SHA.

See docs/verify-release.md for verification commands.

The main branch has "Require signed commits" enabled (enforced from 2026-05-13). Every commit merged to main must carry a GPG or SSH signature verified against a key registered on the committer's GitHub account. Contributors can verify git log --show-signature -5 shows Good signature for recent commits, and the GitHub UI displays a Verified badge on each.

Setup guide: docs/guides/setup-signed-commits.md

We will not pursue legal action against good-faith researchers who:

• Follow this policy.
• Stop at the proof-of-concept stage — do not exfiltrate data, degrade services, or pivot beyond the minimum needed to demonstrate the issue.
• Avoid data that is not their own.

Generated by Cliff. Edit this file to match your actual process.