Files
santifer--career-ops/SECURITY.md
T
wehub-resource-sync d083df1fdb
CodeQL Analysis / Analyze (javascript-typescript) (push) Failing after 2s
Web CI / web typecheck + build (push) Failing after 1s
Release Please / release-please (push) Failing after 1s
CodeQL Analysis / Analyze (go) (push) Failing after 16s
chore: import upstream snapshot with attribution
2026-07-13 12:02:43 +08:00

1.1 KiB

Security Policy

Reporting a Vulnerability

Do NOT open a public issue for security vulnerabilities.

Instead, please email hi@santifer.io with:

  1. Description of the vulnerability
  2. Steps to reproduce
  3. Potential impact
  4. Suggested fix (if any)

You will receive a response within 72 hours. We will work with you to understand and address the issue before any public disclosure.

Scope

Security issues in the following are in scope:

  • Scripts (*.mjs) — command injection, path traversal, SSRF
  • Dashboard (dashboard/) — any Go binary vulnerabilities
  • Templates (templates/) — XSS in generated HTML/PDF
  • Configuration — secrets exposure, unsafe defaults

Out of Scope

  • Issues in third-party dependencies (report upstream)
  • Issues requiring physical access to the user's machine
  • Social engineering attacks
  • career-ops is a local tool — there is no hosted service to attack

Disclosure Policy

We follow coordinated disclosure. Once a fix is released, we will credit the reporter (unless they prefer anonymity) in the release notes.