AmaNotify handles subscriber records, admin authentication, campaign operations, and delivery telemetry. Security reports should stay private until a fix path is confirmed.
AmaNotify is currently maintained as a pre-1.0 project.
Security fixes are expected to land on the latest main branch unless a release branch policy is introduced later.
Do not open a public issue for sensitive findings.
Preferred paths:
- GitHub private vulnerability reporting, if enabled for the repository.
- Direct contact with the maintainer through the repository owner profile if private reporting is unavailable.
- a concise description of the issue
- attack preconditions and impact
- clear reproduction steps or proof of concept
- any mitigation or patch direction you already see
| Stage | What to expect |
|---|---|
| Acknowledgement | The report should be reviewed privately after receipt |
| Validation | Reproduction and impact are checked before any public discussion |
| Fix | A patch is prepared on the active code line |
| Disclosure | Public disclosure should happen only after a fix or mitigation exists |
- Public API abuse, auth bypass, data exposure, queue abuse, and delivery-log leakage are in scope.
- Generic dependency advisories without a practical impact path are lower signal unless they affect AmaNotify directly.
- Client-specific or environment-specific secrets should never be committed to the repo.