Legal/Security Notice

Security Notice

How to report security vulnerabilities in DevHub's open source projects.

Updated May 17, 20263 min read

If you find a security vulnerability in any DevHub project, please tell us before making it public. We take security seriously and will respond promptly.

How to Report

Do not open a public GitHub issue for security vulnerabilities. Instead:

  • Email open-devhub@outlook.com with the subject line 'Security Vulnerability: [project name]'.
  • Or DM a server admin directly on Discord with a brief description.
  • GitHub's private security advisory feature is also supported on most DevHub repos.

What to Include

  • Which project and version is affected.
  • A description of the vulnerability and how it can be exploited.
  • Steps to reproduce, if applicable.
  • Any suggested fix, if you have one.

What Happens Next

  1. 01We'll acknowledge your report within 48 hours.
  2. 02We'll investigate and confirm the vulnerability.
  3. 03We'll develop and test a fix.
  4. 04We'll release the fix and credit you in the changelog, unless you prefer to remain anonymous.

Please give us reasonable time to address a vulnerability before disclosing it publicly. We commit to resolving valid reports within 1-7 days of confirmation.

Scope

This policy covers all repositories under the DevHub GitHub org. It does not cover the Discord server itself (that's governed by Discord's own security processes) or third-party bots.

Out of Scope

  • Social engineering attacks against community members.
  • Vulnerabilities in third-party dependencies (report those upstream).
  • Issues requiring physical access.
  • Rate limiting or brute force on non-sensitive endpoints.
Previous

Privacy Policy

Next

Acknowledgements