Skip to content

Security: wrkstrm/common-process

Security

SECURITY.md

Security Policy

Thank you for helping keep CommonProcess safe for the community. This document explains how to report vulnerabilities and what to expect from maintainers.

Reporting a Vulnerability

  • Preferred channel: open a private report via GitHub Security Advisories (Repository -> Security -> Advisories -> "Report a vulnerability").
  • Please include:
    • A clear description of the issue and affected components
    • Steps to reproduce or a minimal proof-of-concept
    • Impact assessment (e.g., RCE, privilege escalation, data exposure)
    • Any relevant environment details (OS, Swift version)

No email fallback is provided at this time. If GitHub Advisories is unavailable to you, please open a private, minimal issue asking for a security contact and do not include sensitive details.

Response Targets

  • Acknowledgement: within 72 hours
  • Initial triage: within 7 days
  • Target fix / coordinated disclosure: within 30 days

Complex issues may take longer; we will keep you updated on progress and timelines.

Supported Versions

  • The latest minor release line (v0.y.z) receives security fixes.
  • Older versions may receive best-effort fixes for critical issues only.

Scope

In scope (examples):

  • Remote code execution, privilege escalation, sandbox escapes
  • Injection, deserialization, path traversal, command execution bugs
  • Authentication/authorization bypass, sensitive data exposure
  • Supply-chain risks (malicious dependencies, build/package tampering)

Out of scope (examples):

  • Social engineering, phishing, or attacks requiring user deception
  • Denial-of-service via extreme, non-default configurations or test code
  • Issues in non-shipped demos or examples that are clearly documented as such

Coordinated Disclosure

Please keep reports private until a fix is released. After mitigation is available, we will publish an advisory with credits (if requested) and guidance for upgrading or mitigating the issue.

Safe Harbor

We support good-faith security research:

  • Do not exploit beyond what is necessary to prove impact.
  • Do not access, modify, or exfiltrate non-public data.
  • Do not disrupt services or other users.

Following these guidelines, we will not pursue legal action for your research activities related to this project.

There aren’t any published security advisories