Skip to content

Security: paulmataruso/OpenPolyConf

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Email mataruso@gmail.com with:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact

You'll receive an acknowledgement within 48 hours. We aim to release a fix within 14 days of confirming the issue.

Scope

The following are in scope:

  • Authentication and session management
  • Multi-tenant data isolation (one tenant accessing another's data)
  • Provisioning endpoint leaking credentials
  • SQL/command injection in any endpoint
  • SIP password exposure

Out of Scope

  • Issues in upstream dependencies (GenieACS, Postgres, nginx) — report those upstream
  • Denial of service via resource exhaustion
  • Issues requiring physical access to the server

There aren't any published security advisories