41 lines
1.1 KiB
Markdown
41 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
This repository is currently in an early alpha stage.
|
|
|
|
Security fixes are expected on:
|
|
|
|
- the current `main` branch
|
|
- the newest tagged pre-release, when one exists
|
|
|
|
Older snapshots may not receive backported fixes.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Please do **not** open a public issue for a suspected security problem before
|
|
the maintainer has had a chance to assess it.
|
|
|
|
Preferred process:
|
|
|
|
1. Report the issue privately through your forge's private reporting workflow, if available.
|
|
2. If private reporting is not available, contact the maintainer through the repository owner profile first.
|
|
3. Include:
|
|
- affected version or commit
|
|
- reproduction steps
|
|
- impact
|
|
- any workaround, if known
|
|
|
|
## Scope
|
|
|
|
Relevant security reports include:
|
|
|
|
- credential or token leakage
|
|
- unsafe network handling
|
|
- update or packaging integrity issues
|
|
- sandbox, entitlement, or macOS permission mistakes
|
|
- malicious or unintended code execution paths
|
|
|
|
Reports that are only stream-quality, broken station metadata, or ordinary
|
|
playback bugs should go through the normal issue tracker.
|