We take security vulnerabilities seriously. If you discover a security issue in github2md, please report it responsibly.
Use GitHub's private vulnerability reporting:
This allows us to coordinate a fix before the details are made public.
You can also email vulnerability reports to:
Please include:
- A description of the vulnerability
- Steps to reproduce or a proof-of-concept
- The affected version(s), if known
- Any potential impact you've identified
- Acknowledgment: We will acknowledge your report within 48 hours.
- Updates: We will provide status updates at least every 7 days until the issue is resolved.
- Resolution: We will work to issue a fix as quickly as possible, prioritizing based on severity.
- Path traversal attacks in file output
- ZIP bomb or resource exhaustion vulnerabilities
- Injection vulnerabilities (e.g., Markdown injection)
- Sensitive data exposure via exported content
- Privilege escalation
- Denial of service via extremely large GitHub profiles (already handled by rate limiting)
- Issues in dependencies (please report to the respective maintainers)
We ask that you:
- Do not publicly disclose the vulnerability before a fix is available.
- Give us reasonable time to address the issue before any public announcement.
- Make a good-faith effort to avoid privacy risks, data destruction, or disruption to others.
Thank you for helping keep github2md and its users safe.