Hi Common Fate team,
Quick routing question — not a vulnerability disclosure in this issue body.
I have a credential-disclosure finding in granted that I want to report privately. I tried both addresses published in your SECURITY.md and your GitHub org profile:
security@commonfate.io — bounced 2026-05-20 (550 5.1.1 mailbox does not exist)hello@commonfate.io — bounced 2026-05-20 (550 5.1.1 mailbox does not exist)security@commonfate.com — bounced 2026-05-20 (550 5.1.1)
The repository's Private Vulnerability Reporting (Settings → Code security → Private vulnerability reporting) is not enabled, so I can't use the GitHub PVR form either.
Could a maintainer either:
- Enable Private Vulnerability Reporting on this repo, or
- Share a working security contact email / Signal / other channel I can route through?
Once a channel is open I'll send the full writeup with reproduction steps and a suggested fix. Happy to coordinate disclosure timeline.
For context: I've filed similar credfile findings against other vendors this cycle (huggingface_hub merged, fly.io merged with audit, prisma in review, modal/turso/chroma awaiting). The Common-Fate finding fits the same class.
Thanks,
Jaeyoung Yun (GitHub: JAE0Y2N)
Hi Common Fate team,
Quick routing question — not a vulnerability disclosure in this issue body.
I have a credential-disclosure finding in
grantedthat I want to report privately. I tried both addresses published in your SECURITY.md and your GitHub org profile:security@commonfate.io— bounced 2026-05-20 (550 5.1.1mailbox does not exist)hello@commonfate.io— bounced 2026-05-20 (550 5.1.1mailbox does not exist)security@commonfate.com— bounced 2026-05-20 (550 5.1.1)The repository's Private Vulnerability Reporting (Settings → Code security → Private vulnerability reporting) is not enabled, so I can't use the GitHub PVR form either.
Could a maintainer either:
Once a channel is open I'll send the full writeup with reproduction steps and a suggested fix. Happy to coordinate disclosure timeline.
For context: I've filed similar credfile findings against other vendors this cycle (huggingface_hub merged, fly.io merged with audit, prisma in review, modal/turso/chroma awaiting). The Common-Fate finding fits the same class.
Thanks,
Jaeyoung Yun (GitHub: JAE0Y2N)