If you have found a (potential) security issue in seshat, or are unsure
whether an issue is security-relevant, please report it privately by e-mail
to security@seshat.software.
Please do not report security issues through public issue trackers or pull requests, as this may put users of the project at risk before a fix is available.
It helps us if you include the following in your report:
- A description of the issue and its potential impact
- Steps to reproduce the issue, or a proof of concept
- The version or commit of
seshatyou tested against - Any relevant configuration details
We will acknowledge your report and keep you informed as we work on a fix. We kindly ask that you give us a reasonable amount of time to address the issue before any public disclosure and we will credit you for the discovery if you wish.
If you are running (or are going to run) an instance of seshat and would
like to receive advance notice of security issues and fixes, you can ask
(your security coordinator) to join the security mailing list by writing to
security@seshat.software.
This policy covers the seshat software itself, as developed at
codeberg.org/seshat/seshat.
Issues in third-party dependencies should be reported to their respective
projects, though we appreciate a heads-up if such an issue affects seshat
deployments.