This security policy is adapted from the deno security policy.
Thank you for taking the time to investigate a security issue related to one of Denosaurs projects. The security of our projects is our topmost priority. We appreciate investigative work into system security by well-intentioned, ethical security researchers. If you discover a vulnerability, however small, we would like to know about it to address it with appropriate measures as quickly as possible. This document outlines the method we use to work with the security research community to address runtime security.
Please email findings to security@denosaurs.land. Because of the limited time we have as an orgnaization and as individual maintainers of Denosaurs projects it may take some time for us to respond and resolve the issue but we will try our best. Keeping in mind our limited time as maintainers we still strive to resolve all issues as quickly as possible. As a rule of thumb for more serious issues resolving these issues will be our first and foremost priority before other maintenance or development tasks for any of our projects. In addition we are more than happy to play an active role in publication of writeups after the problem is resolved.
Try to include as much information as possible in the initial email, so we can quickly address the issue.
Please do not open security issues in the public issue tracker.
- Do not take advantage of the vulnerability or problem you have discovered.
- Do not publish or reveal the problem until it has been resolved.
- Do not use attacks on physical security or applications of third parties.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, a list of steps to follow, the vulnerable package, version of the package, environment and deno version in cases where that makes a difference. More complex vulnerabilities may require further explanation.
- If you act in accordance with this policy, we will not take legal action against you in regard to your report.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.