We take security vulnerabilities seriously.
We appreciate your help in responsibly disclosing your findings, and we'll make every effort to acknowledge your contributions.
We provide security updates for the following versions of the project. Please ensure you are using a supported version.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
If you discover a security vulnerability, please report it to us privately. Do not create a public GitHub issue.
We encourage you to report vulnerabilities using GitHub's Private Vulnerability Reporting feature. You can do this by navigating to the "Security" tab of the repository and clicking "Report a vulnerability."
Alternatively, you can email us at security@fatfi.sh.
For extra security, we encourage you to encrypt your message using our PGP key below. The key is also available on keys.openpgp.org so you can use it from your favorite tool.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaJRI1RYJKwYBBAHaRw8BAQdAYEhsm8ITwYEBdKTu9nf2K6hyrxkIfteJwiNw
maz/fvK0L0ZhdGZpc2ggTGFiIChTZWN1cml0eSB0ZWFtKSA8c2VjdXJpdHlAZmF0
Zmkuc2g+iJkEExYKAEEWIQRbyDsPQpe69Di5sTC3p8IyR+s5WwUCaJRI1QIbAwUJ
AeEzgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRC3p8IyR+s5W3W0AP9O
KCzReGAYfvCYBwKfJyw5VSp7M6GL1aO6GxLOvHtqVgEA+IzV9zAMry1dSJx0VRM2
Mr9p9/R3MoXf7PBdegJIjQi4OARolEjVEgorBgEEAZdVAQUBAQdAZsBL6fQtZfmB
1BoZaTRBZm0mauVzAHsL9AbDrxUF0jIDAQgHiH4EGBYKACYWIQRbyDsPQpe69Di5
sTC3p8IyR+s5WwUCaJRI1QIbDAUJAeEzgAAKCRC3p8IyR+s5WynIAQCG4wdm9PrP
/rYwYZbBGIL/83NPyvYgzAn0OajvdS33dQD/YQrlmQT2kSlUcJVQshgyAioqCCBr
UB+C7OVSCtDY0Q4=
=snOr
-----END PGP PUBLIC KEY BLOCK-----
Please include the following information in your report to help us resolve the issue as quickly as possible:
- A clear description of the vulnerability.
- The version(s) of the project affected.
- Step-by-step instructions to reproduce the issue.
- Any proof-of-concept (PoC) code, scripts, or screenshots that demonstrate the vulnerability.
- Acknowledgement: We will acknowledge receipt of your report as soon as possible.
- Investigation: We will investigate your report and confirm the vulnerability. We may contact you for more information if needed.
- Resolution: Once the vulnerability is confirmed, we will work on a fix. We aim to release a patch within 90 days of confirmation.
- Disclosure: After the patch is released, we will publish a security advisory, giving you credit for your discovery.
We are committed to coordinating with you throughout this process and will keep you informed of our progress.
We believe in recognizing the work of security researchers who help us keep our project safe. All valid reports will be credited in the security advisory once the vulnerability has been resolved.
Thank you for helping to keep our project and its users secure!