Security Guideline
This document explains how Deptrac security issues are handled by the maintainers.
Reporting a security issue
If you think you have found a security issue in Deptrac, we ask you not to use the bug tracker and to not publish it publicly. Instead, all security issues must be sent to security@qossmic.com.
Security bug bounties
Deptrac is an Open-Source project where most of the work is done by volunteers. We appreciate that developers are trying to find security issues in Deptrac and report them responsibly, but we are currently unable to pay bug bounties.
Process
In case of an incident being reported, we will...
- try to confirm the vulnerability.
- send an acknowledgement to the reporter, if the issue is confirmed
- start working on a patch
- prepare a security advisory to be published with the patch
- send the patch and advisory to the reporter for review
- apply the patch to all supported versions of Deptrac
- release a new version of Deptrac with the applied patch
- publish the advisory