ShuttleScope is currently in prototype/POC stage. Security fixes are applied to the main branch only.
| Version | Supported |
|---|---|
main |
✅ |
| older | ❌ |
If you discover a security vulnerability in ShuttleScope, please do not open a public GitHub issue.
Instead, report it privately via one of:
- GitHub Security Advisory — preferred. Submit via https://github.com/MasayukiTa/shuttle-scope/security/advisories/new (or click "Report a vulnerability" on the repository's Security tab).
- Email — send details to the maintainer contact listed on the GitHub profile: https://github.com/MasayukiTa
Please include:
- Affected component (backend API, Electron shell, renderer, GitHub Actions workflow, etc.)
- Reproduction steps or proof-of-concept
- Impact assessment (confidentiality / integrity / availability)
- Any suggested mitigation
You should receive an initial acknowledgement within 7 days. We aim to triage and propose a fix or mitigation plan within 30 days for confirmed vulnerabilities.
In-scope:
- FastAPI backend (
shuttlescope/backend/) - Electron main / preload (
shuttlescope/electron/) - React renderer (
shuttlescope/src/) - Build and CI workflows (
.github/workflows/)
Out-of-scope (not prototype concerns at this stage):
- Local role switching via
useAuth(POC-only; not production auth) - Reports on issues already tracked in the public Code Scanning / Dependabot tabs
Ongoing hardening work is tracked in shuttlescope/docs/validation/. Known accepted risks are documented there with justification.
Reports concerning the content of material processed by ShuttleScope — for example, claims by a rights holder that User-submitted material infringes copyright, claims by a data subject under GDPR Article 17 / APPI 第30条 erasure, or other non-security content complaints — are handled separately from vulnerability reports.
The procedure for content reports, including the reporting channels, the expected report format, the response timeline, and the counter-notice procedure, is set out in CONTENT_POLICY.md. Please use the channels listed in CONTENT_POLICY.md Section 5 for content reports rather than the vulnerability channels listed above.