If you discover a security vulnerability within the project, I encourage you to report it as soon as possible. Your efforts to responsibly disclose security issues are appreciated and help me ensure the safety and security of the project.
Please follow the steps below to ensure the issue is addressed promptly:
-
Report using Github Advisories:
- Report Vulnerability
- As Github Advisories does not send a notification to me, please also send me an email per below:
- Email: security@tortal.tech
- GPG Key: Public Key
- Details to Include:
- Title of the vulnerability report.
- DO NOT include any details of the report in the email. Simply include the title and I will find the report on GitHub.
- As Github Advisories does not send a notification to me, please also send me an email per below:
- Report Vulnerability
-
What to Expect:
- Acknowledgment: I will acknowledge receipt of your report within 48 hours.
- Discussion: We will discuss the potential vulnerability and if needed, collaborate on a fix using a private fork.
- Resolution: If the vulnerability is accepted, you will be credited for your discovery.
- Decline: If the issue is not accepted as a vulnerability, I will provide a detailed explanation as to why.
-
Confidentiality:
- Please do not publicly disclose the vulnerability until I have addressed it. I aim to work with you to ensure the issue is resolved in a secure manner.
You should use or upgrade to the latest version of CRA. All 2.x.x versions are upgradable to the latest version.
I ensure security updates for the following versions of the project:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.0.x | ❌ |