Skip to content

Security Policy

Thanks for looking out for us. If you spot a security issue, responsible disclosure helps us fix it quickly.

Supported Versions

We provide security updates for the latest released version of this project only.
Older versions may not be patched.

Reporting a Vulnerability

If you discover a security vulnerability, do not report it via public GitHub issues or pull requests.
Publicly posting a vulnerability before it is resolved may put users at risk.

Instead, please email your report to: security@observes.io

When reporting, please include:

  • A clear description of the vulnerability.
  • Steps to reproduce the issue.
  • Any proof-of-concept code or examples.
  • The potential impact.
  • Your preferred contact details.

If you wish to encrypt your report, you may use our PGP public key:

PGP Key: [link to your key or inline block]

Our Commitment

  1. Acknowledgement - We will acknowledge receipt of your report within 3 business days.
  2. Assessment - We will investigate and confirm the vulnerability.
  3. Resolution - We will work to develop and release a fix, prioritising based on severity.
  4. Disclosure - We will agree a coordinated public disclosure timeline with you.
    By default, we aim to disclose within 90 days of confirmation, unless a different timeline is mutually agreed.
  5. Credit - With your permission, we will acknowledge your contribution in our release notes and/or security advisories.

Scope

This policy applies to vulnerabilities found in:

  • This project's source code and documentation.
  • Configuration defaults or installation instructions provided in this repository.

Thank you for helping keep this project and its users secure.