Security Policy
The Shekyl Foundation takes the security of Shekyl and its users seriously. We are grateful to security researchers who report vulnerabilities responsibly and give us a reasonable opportunity to fix them before public disclosure. This page describes how to report a vulnerability and what to expect. A machine-readable version is available at /.well-known/security.txt, OpenPGP-signed with the Shekyl Foundation key so its authenticity can be verified.
How to report
Please report suspected vulnerabilities through one of these channels:
- Email [email protected].
- Open a private advisory via GitHub private vulnerability reporting.
What to include
A clear description of the issue, the affected component and version, step-by-step reproduction instructions, and the potential impact. Proof-of-concept code is welcome. Please do not include third parties’ personal data in your report.
Coordinated disclosure
We follow a coordinated disclosure model. Please give us a reasonable period to investigate and remediate before disclosing publicly, and avoid accessing or modifying other users’ data, degrading service availability, or running automated scans that could harm the network or other users. Acting in good faith under this policy, we will not pursue or support legal action against you for your research.
What to expect
We aim to acknowledge new reports promptly, keep you informed as we triage and remediate, and credit you in our acknowledgments below (unless you prefer to remain anonymous). Shekyl does not currently operate a paid bug-bounty program.
Acknowledgments
We thank the security researchers who have responsibly disclosed vulnerabilities to us. As reports are received and resolved, contributors who wish to be credited will be listed here.