Skip to content

Security: Zw-awa/BootHarbor

SECURITY.md

Security Policy

English | 简体中文

Reporting A Vulnerability

Do not open a public issue for problems that could reasonably be abused as a security vulnerability.

If a report involves any of the following, report it privately first:

  • unsafe boot-state or rollback behavior
  • unsafe recovery or rescue behavior
  • insecure update handling
  • privilege boundary violations
  • command injection or unsafe host-side tooling behavior
  • credential, token, or secret exposure

Include:

  • a short summary
  • the affected subsystem
  • reproduction steps if known
  • likely impact
  • suggested mitigation if available

What Counts As A Security Issue Here

Examples include:

  • a recovery path that can be abused to bypass intended control
  • unsafe boot-state handling that can force unintended boot behavior
  • a host tool executing untrusted input unsafely
  • secrets accidentally committed into the repository
  • an update or recovery flow that becomes unsafe under malicious input

What Is Usually Not A Security Report

The following are usually not security issues:

  • ordinary bring-up bugs
  • documentation mistakes with no security impact
  • expected instability in unfinished prototype code
  • unsupported local modifications
  • environment setup failures without a plausible security angle

Those should usually be reported through the normal public issue path.

Scope

This repository is in active early development. Security review and response are best-effort.

There aren't any published security advisories