We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
DO NOT open a public GitHub issue for security vulnerabilities.
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill out the form with details
If you prefer email or the advisory system is unavailable:
- Email: security@hyperpolymath.org
- PGP Key: Available at
.well-known/security.txt - Response Time: Within 48 hours for acknowledgment, 7 days for triage
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact assessment
- Suggested fix (if available)
- CVE request (if you want to request one)
We follow Coordinated Vulnerability Disclosure:
- Report received - We acknowledge within 48 hours
- Investigation - We confirm and assess severity (7 days)
- Fix development - We create and test a patch (14-30 days)
- Pre-disclosure - We notify you before public release (7 days notice)
- Public disclosure - We release fix and advisory simultaneously
- Credit - We publicly credit reporters (unless you prefer anonymity)
We request a 90-day embargo for critical vulnerabilities to allow:
- Fix development and testing
- Coordination with downstream users
- Patch deployment preparation
- Private fix developed in a private repository fork
- Testing against the vulnerability and regression suite
- Release preparation with CHANGELOG entry
- Coordinated release with security advisory
- CVE assignment (if applicable)
- Type Safety: ReScript provides compile-time type checking
- No Unsafe Code: No
eval(), no arbitrary code execution - Dependency Scanning: Automated vulnerability checks
- Input Validation: All user inputs sanitized
- Output Encoding: Proper escaping for all outputs
- HTTPS Only: All network requests use HTTPS
- Timeout Enforcement: Strict timeout on all HTTP requests
- Rate Limiting: Configurable concurrency limits
- No Credentials: No authentication data stored or transmitted
- Explicit Permissions: Requires
--allow-net,--allow-read - Sandboxed Execution: No filesystem writes without explicit permission
- No Environment Leakage: Minimal environment variable access
We minimize dependencies and monitor them for vulnerabilities:
Dependencies:
- @rescript/core: Official ReScript standard library
- rescript: ReScript compiler
- gentype: TypeScript FFI generator
Runtime (Deno):
- No npm dependencies at runtime
- Uses Deno standard library
Important: This tool is for website auditing, not security testing. It:
- ✅ Checks for best practices (HTTPS, headers, meta tags)
- ✅ Validates accessibility and SEO
- ❌ Does NOT perform penetration testing
- ❌ Does NOT scan for SQL injection, XSS, etc.
- ❌ Does NOT test authentication/authorization
For security testing, use dedicated tools like:
- OWASP ZAP
- Burp Suite
- Nuclei
- Nmap
When auditing websites:
- Respect
robots.txt - Use reasonable concurrency limits (default: 10)
- Add delays between requests (default: 500ms)
- Set appropriate timeouts (default: 30s)
- Avoid DDoS-like behavior
- No Data Collection: This tool collects no telemetry
- No External Requests: Only fetches URLs you specify
- No Data Transmission: Results stay on your machine
- GDPR Compliant: No personal data processing
For security-sensitive deployments:
# Log all audits
deno task audit --url $URL --verbose 2>&1 | tee audit.log
# Include timestamps
deno task audit --url $URL 2>&1 | ts '[%Y-%m-%d %H:%M:%S]' | tee audit.log# Minimal permissions
deno run \
--allow-net=example.com \
--allow-read=./urls.txt \
src/main.ts --url https://example.com
# Read-only filesystem (when using Docker)
docker run --read-only broad-spectrum
# Drop privileges (when running as service)
sudo -u nobody deno task audit --url $URL# GitHub Actions example
- name: Run audit
run: deno task audit --url ${{ secrets.AUDIT_URL }}
env:
# No credentials needed
DENO_PERMISSIONS: "--allow-net --allow-read"For untrusted URLs or maximum isolation:
# Run in Docker container
docker run --rm \
--network=host \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
broad-spectrum audit --url https://untrusted.example
# Run with Firejail
firejail --net=none --private deno task audit --file urls.txt| Severity | Acknowledgment | Triage | Fix | Disclosure |
|---|---|---|---|---|
| Critical | 24 hours | 2 days | 7 days | 14 days |
| High | 48 hours | 7 days | 14 days | 30 days |
| Medium | 7 days | 14 days | 30 days | 60 days |
| Low | 14 days | 30 days | 90 days | 90 days |
The following individuals are responsible for security:
- Security Lead: [To be assigned]
- Backup: All maintainers (see MAINTAINERS.md)
Past security advisories: None yet (project is new)
We welcome security research! Researchers who report valid vulnerabilities receive:
- Public credit (unless anonymous preferred)
- Entry in our security hall of fame
- Coordinated disclosure process
- (No bug bounty program at this time)
This security policy aims to comply with:
- RFC 9116: security.txt standard
- ISO 29147: Vulnerability disclosure
- ISO 30111: Vulnerability handling
- CWE/SANS Top 25: Common weakness enumeration
- OWASP Top 10: Web application security
This security policy is reviewed quarterly and updated as needed.
Last updated: 2025-11-22
For general questions, use GitHub Discussions. For security issues, use the methods above.