Our security policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.

The PocketPasta team and community take all security bugs in PocketPasta seriously. Thank you for improving the security of PocketPasta. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.

Report security bugs by emailing the lead maintainer at contact and include the word "SECURITY" in the subject line.

The lead maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

• PocketPasta will confirm the problem and determine the affected versions.
• PocketPasta will audit code to find any potential similar problems.
• PocketPasta will prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.

Report security bugs in third-party modules to the person or team maintaining the module.

Your responsibility is to report vulnerabilities to us using the guidelines outlined below.

We keep OWASP guidelines in mind when creating our disclosure policy.

• PocketPasta security contact
• Disclosure format: When disclosing vulnerabilities please
  1. Your name and affiliation (if any).
  2. Include scope of vulnerability. Let us know who could use this exploit.
  3. Document steps to identify the vulnerability. It is important that we can reproduce your findings.
  4. How to exploit vulnerability, give us an attack scenario.

Use Semantic Versioning to help other see at a glance if this document has been updated and what was the scope of the udpate.

• Major version incremented when contact information changes in the security.md file or in the security.txt file that refers to this file. Or a required field in the security.txt has changed in a non backwards compatible manner.
• Minor update is a backward compatible change has been made to the aforementioned files.
• Patch update is when a minor typo is fixed but no significant change has been made.