Thank you for your interest in contributing to the security of VMAware, a C++ library for VM detection. We take security vulnerabilities seriously and aim to fix them promptly and responsibly. Please read and follow these guidelines when reporting a security issue.
We only provide security fixes for the latest major release versions. If you discover a vulnerability in an unsupported version, please upgrade to the latest version in our Releases and verify whether the issue still exists.
Do not open a public issue for security vulnerabilities.
Contact: Submit your report via email to the maintainers at:
vmaware.support@gmail.com
Information to Include:
- A clear description of the vulnerability.
- Steps to reproduce (proof-of-concept if available).
- Impact assessment (what threats this poses).
- Affected versions (as per Section 1).
- Suggested remediation or patches if possible.
We prioritize meaningful and actionable security vulnerabilities. Reports will be dismissed without disclosure or fix if they:
Have no real-world impact.
Require unrealistic conditions for exploitation.
Relate to outdated or unsupported versions.
We reserve the right to classify any report as non-actionable.
1. Acknowledgment: You will receive a response within one week.
2. Evaluation: Investigation will begin within 5 business days.
3. Patch Development: If the issue is valid, a fix will be developed within 30 calendar days.
4. Disclosure: For actionable vulnerabilities, we will issue a security advisory and optionally credit the reporter.
- The patched version will be tagged with a security banner (e.g., v2.9.0-secfix).
- We will coordinate with package repositories and downstream projects.