We will publish known vulnerabilities through a GitHub Security Advisory once they have been addressed to inform the community of their potential scope, impact, and mitigation.
Porter and its maintainers takes the security of the project seriously, and we appreciate your efforts to responsibly disclose your findings to us.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them through our private vulnerability reporting form.
It should contain: * description of the problem * precise and detailed steps (include screenshots) that created the problem * the affected version(s) * any possible mitigations, if known You will receive a reply from one of the maintainers within 3 days acknowledging receipt of the email.
You may be contacted by a Porter project maintainerto further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.
This project follows a 10 disclosure timeline. Refer to our embargo policy for more information.
Porter remains in the process of getting to a stable v1.0 release, and as such does not currently provide a long-term supported version. We make a good faith effort to respond to security issues in a timely manner and will release version updates as needed to address them. Users should expect to upgrade to the latest release version to stay current on security updates.