We actively support the following versions with security updates:
| Version | Supported | Status |
|---|---|---|
| 1.1.x | β Yes | Active |
| 1.0.x | EOL soon | |
| < 1.0 | β No | Unsupported |
Recommendation: Always use the latest stable release from the Releases page.
We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, report via:
-
GitHub Security Advisories (Preferred):
- Go to Security β Advisories
- Click "Report a vulnerability"
- Provide details using the template below
-
Email (Alternative):
- Contact: [your-email@example.com]
- Subject:
[SECURITY] bash-markdown-link-validator vulnerability - Use PGP key (if available): [link to PGP key]
## Vulnerability Description
[Clear description of the security issue]
## Impact
[Potential impact: data exposure, code execution, etc.]
## Steps to Reproduce
1. Step 1
2. Step 2
3. ...
## Proof of Concept
[Code snippet, logs, or screenshots]
## Suggested Fix
[Optional: Your recommendation for fixing the issue]
## Environment
- Version: [e.g., v1.1.0]
- OS: [e.g., Ubuntu 22.04]
- Bash Version: [output of `bash --version`]| Stage | Timeline | Description |
|---|---|---|
| Acknowledgment | 48 hours | We confirm receipt of your report |
| Initial Assessment | 7 days | We evaluate severity and impact |
| Fix Development | 14-30 days | We develop and test the fix |
| Disclosure | 30-90 days | Coordinated public disclosure |
Note: Timelines may vary based on complexity and severity.
- Keep Updated: Use the latest stable release
- Review Code: Inspect scripts before running in sensitive environments
- Least Privilege: Run with minimal necessary permissions
- Input Validation: Be cautious with untrusted Markdown files
- No Secrets: Never commit credentials, tokens, or sensitive data
- ShellCheck: Run
shellcheckto catch common vulnerabilities - Input Sanitization: Always validate and sanitize user inputs
- Dependency Security: Minimize dependencies (we have zero!)
- Risk: Scripts read files from the file system
- Mitigation: Run in controlled environments, use
--excludefor sensitive dirs
- Risk: Validates HTTP(S) links (no actual HTTP requests by default)
- Mitigation: JSON mode for CI/CD, avoid executing external code
- Risk: Shell injection if inputs are not sanitized
- Mitigation: All variables are quoted, no
evalusage
| Date | Version | Type | Summary |
|---|---|---|---|
| 2025-01 | v1.1.0 | Internal Review | No vulnerabilities found |
| 2024-12 | v1.0.0 | Initial Release | Baseline security assessment |
We appreciate security researchers who help improve this project:
No security reports yet. Be the first!
For general security questions (not vulnerabilities):
- Discussions: GitHub Discussions
- Documentation: CONTRIBUTING.md
Thank you for helping keep bash-markdown-link-validator secure! π