We take the security of this project seriously and are committed to protecting our users. If you believe you have found a security vulnerability, please follow the process below so we can resolve it responsibly.
Instead, please email your findings to security@simplecontainer.io.
When reporting, include as much detail as possible:
- A clear description of the issue.
- Steps to reproduce the problem (if applicable).
- Any suggested fixes or patches.
You should receive an acknowledgment within 72 hours confirming we have received your report.
-
Triage & Verification
Our maintainers will review your report to confirm whether it is valid and determine its severity and scope. We may reach out for additional clarification during this stage. -
Private Discussion
If the report is confirmed, we will create a private draft advisory on GitHub (or other appropriate platform) to coordinate with you and maintainers. Other affected projects may also be contacted under embargo. -
Resolution & Disclosure
- A patch or fix will be developed and tested.
- A coordinated disclosure timeline will be agreed upon.
- Public advisories will be published once the fix is released.
We expect reporters to respect any agreed-upon embargo period until disclosure.
We appreciate community contributions that help improve security. Reporters will be credited in release notes or advisories unless anonymity is requested.
(Note: At this time there is not a paid bug bounty program.)
We maintain support for specific long-term release branches. Please see RELEASES.md in the repository for up-to-date information on which versions currently receive security updates.