We appreciate your efforts in responsibly disclosing any issues you may find. To report a security vulnerability, please follow these steps:
-
Privately disclose the issue by sending an email to [email protected]. Please do not create publicly viewable issues for security vulnerabilities.
-
Provide detailed information regarding the vulnerability, including:
- Description of the vulnerability
- Steps to reproduce
- Versions affected
- Any mitigating factors
-
Our Response:
- Our security team will acknowledge receiving your report within 48 hours.
- We will work to validate and reproduce the issue.
- Once confirmed, we will work on a fix and release schedule.
-
Public Disclosure:
- We aim to release patches for vulnerabilities as soon as possible.
- We will coordinate with you regarding public disclosure, ensuring a reasonable timeline for users to update before the details are made public.
- Code Review: We conduct code reviews to catch potential vulnerabilities during code submission
- Dependency Management: We track dependencies and update them regularly to mitigate known security issues.
- Secure Development Practices: We use a series of security tools to detect potential vulnerabilities in existing and newly submitted code.
Our security policy covers vulnerabilities in the SFCGAL core codebase.
While packages in Linux and other unix-like distributions are out of scope of this document, distribution maintainers traditionally do a great job in patching their distributions for security vulnerabilities. Please, refer to a specific distribution or package source if you are using packages for a specific software distribution.
We adhere to responsible disclosure practices. We appreciate your cooperation in allowing us time to address any reported vulnerabilities before disclosing them publicly. We ask that you refrain from disclosing any details of the vulnerability until we have had adequate time to provide a fix.
Thank you for helping to keep SFCGAL secure!