Thank you for helping keep IssueScout secure.
The security of our users, contributors, and the open-source community is a top priority. We greatly appreciate responsible disclosure of security vulnerabilities and work to address valid reports as quickly as possible.
Security updates are provided only for actively supported releases.
| Version | Supported |
|---|---|
| 1.x | β Yes |
| < 1.0 | β No |
Only the latest stable 1.x release receives security fixes.
Please do not report security vulnerabilities through public GitHub issues or pull requests.
Instead, report them privately to the project maintainers.
Include as much information as possible:
- Description of the vulnerability
- Steps to reproduce
- Expected behavior
- Actual behavior
- Proof of concept (if available)
- Potential impact
- Suggested mitigation (optional)
- Environment details
- Operating System
- Python version
- Node.js version
- Browser (if applicable)
Reports containing reproducible information can generally be investigated much more quickly.
When a security report is received, the maintainers will:
- Acknowledge receipt.
- Validate the report.
- Assess severity and impact.
- Develop and test a fix.
- Prepare a security release if required.
- Coordinate responsible disclosure.
- Credit the reporter unless anonymity is requested.
While response times may vary depending on complexity, every report will be reviewed.
This policy applies to all official IssueScout components.
- FastAPI REST API
- Repository scanner
- GitHub client
- Evidence collection
- Relationship detection engine
- Confidence calculator
- Ranking engine
- Prediction services
- React application
- Client-side API communication
- Repository dashboard
- Issue detail pages
- GitHub Actions
- CI workflows
- Dependency management
- Configuration files
- Documentation
The following are outside the scope of this security policy:
- GitHub platform vulnerabilities
- Vulnerabilities in third-party services
- User-owned GitHub repositories
- Local development environment misconfiguration
- Self-hosted deployments modified by third parties
- Social engineering attacks
When deploying or contributing to IssueScout:
- Keep dependencies up to date.
- Use the latest supported release.
- Store GitHub Personal Access Tokens securely.
- Never commit secrets or credentials.
- Use environment variables for sensitive configuration.
- Rotate compromised credentials immediately.
- Enable GitHub Secret Scanning.
- Enable Dependabot security updates.
- Review dependency updates before merging.
- Follow the principle of least privilege when creating GitHub tokens.
IssueScout uses several tools to improve software security and code quality.
These include:
- GitHub Dependabot
- GitHub Security Advisories
- GitHub Actions
- Ruff
- MyPy
- Pytest
- Automated CI validation
Every pull request should pass all automated quality checks before merging.
Security reports are accepted in:
- English
Please allow reasonable time for investigation, remediation, testing, and coordinated disclosure before making any vulnerability public.
Responsible disclosure helps protect the project's users and the broader open-source ecosystem.
We sincerely appreciate security researchers and community members who responsibly disclose vulnerabilities.
Contributors who help improve the security of IssueScout may be acknowledged in future release notes unless anonymity is requested.
If you discover a security vulnerability, please report it privately rather than opening a public GitHub issue.
Until a dedicated security contact is established, please use one of the following methods:
- Open a private GitHub Security Advisory (preferred), if enabled for the repository.
- Contact the project maintainers through the repository's official communication channels.
- If neither option is available, open a regular GitHub issue only if the report does not disclose sensitive vulnerability details and request a private communication channel.
Please avoid publishing proof-of-concept exploits or sensitive technical details until the issue has been investigated and, where appropriate, fixed.
Security is a shared responsibility.
Thank you for helping keep IssueScout reliable, secure, and trustworthy for the entire open-source community.