We take the security of labeled seriously. If you believe you have found a security vulnerability in this project, please report it immediately using the secure reporting process outlined below. Do not use public GitHub issues or public Pull Requests to report vulnerabilities.
Only the latest version of labeled receives security updates. If you are running an older version, please upgrade to the most recent release before reporting an issue, as the bug may already be resolved.
Please do not disclose security vulnerabilities publicly. Public disclosure exposes the community to unnecessary risk before a patch can be developed and deployed.
To report a security vulnerability:
- Navigate to the Security tab at the top of the main repository page on GitHub.
- Click on Vulnerability disclosure in the left sidebar.
- Click the Report a vulnerability button to open a private draft security advisory.
- Provide a detailed description of the vulnerability, including:
- The specific functions or lines of code affected.
- A step-by-step proof of concept (PoC) to reproduce the flaw.
- The potential impact or exploit mechanism.
- Acknowledgment: A maintainer will acknowledge receipt of your report within 48 hours of submission.
- Assessment: The maintainer team will privately triage and validate the vulnerability.
- Resolution: If validated, a fix will be developed privately within a security advisory branch.
- Disclosure: Once the fix is prepared and merged into the main branch, a new public release will be deployed, and the security advisory will be published to credit your finding.