We take security seriously. We appreciate your efforts to responsibly disclose vulnerabilities.
Report security vulnerabilities through GitHub's Security Advisory feature:
- Navigate to Report a Vulnerability
- Click "Report a vulnerability"
- Complete the form with as much detail as possible
- Submit — we'll receive a private notification
⚠️ Important: Do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
If you cannot use GitHub Security Advisories, email: hyperpolymath@proton.me
- Description: Clear explanation of the vulnerability
- Impact: What an attacker could achieve
- Affected versions: Which versions are affected
- Reproduction steps: How to reproduce the issue
- Proof of concept: Code or examples if available
| Stage | Timeframe |
|---|---|
| Initial Response | 48 hours |
| Triage | 7 days |
| Status Updates | Every 7 days |
| Resolution Target | 90 days |
- The
rescript-envlibrary code - Security issues in the API
- Type safety bypasses
- Third-party dependencies (report to upstream)
- Theoretical issues without proof of concept
- Social engineering
| Version | Supported |
|---|---|
| 0.1.x (latest) | ✅ Yes |
This library handles environment variables, which may contain secrets. Users should:
- Never log environment variable values in production
- Use
Env.getExnfor required secrets to fail fast - Consider using a secrets manager for sensitive data
If you conduct security research in good faith following this policy:
- We will not initiate legal action against you
- We will not report your activity to law enforcement
- We will work with you to resolve issues
Thank you for helping keep rescript-env and its users safe.