| Version | Supported |
|---|---|
| main | Yes |
| < main | No |
Only the latest code on the main branch receives security updates.
Do not open a public issue for security vulnerabilities.
To report a vulnerability, email rock@rockcyber.ai with:
- A description of the vulnerability
- Steps to reproduce (or a proof-of-concept)
- The impact you've assessed
- Any suggested fix (optional)
You will receive an acknowledgment within 48 hours. We aim to provide a substantive response (fix, mitigation, or explanation) within 7 days.
The following are in scope:
- Code in
tract/,scripts/, andparsers/ - Dependencies listed in
requirements.txt - GitHub Actions workflows in
.github/workflows/ - Data processing pipelines that handle external input (OpenCRE API, framework source files)
The following are out of scope:
- The CRE data itself (report to opencre.org)
- Framework source documents (report to the respective framework maintainers)
- Vulnerabilities in third-party dependencies (report upstream; we will update pinned versions)
We follow coordinated disclosure. We will:
- Confirm the issue and determine its impact
- Develop and test a fix
- Release the fix and credit the reporter (unless anonymity is requested)
- Publish a brief advisory if the issue affected released artifacts
This project enforces several security practices:
- All dependencies are pinned to exact versions in
requirements.txt - Dependabot monitors for vulnerable dependencies weekly
- CodeQL scans run on every push to
mainand on PRs - Secret scanning and push protection are enabled on the repository
- No
eval(),exec(),subprocess(shell=True), orpickleon untrusted data - All external text is sanitized (null bytes, HTML, zero-width characters) before storage
- API credentials are never hardcoded — sourced from environment variables or
passmanager