Cartera is a payment wallet simulation. Even as a simulation, we treat security with the same rigor as a production financial system. If you discover a security vulnerability, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
Instead, use one of these methods:
-
GitHub Security Advisories (Preferred): Report a vulnerability
-
Email: Contact the maintainer directly via their GitHub profile: @omghante
- A description of the vulnerability
- Steps to reproduce
- The potential impact
- Any suggested fixes (optional)
| Action | Timeline |
|---|---|
| Acknowledgment of report | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development | Depends on severity |
| Security advisory published | After fix is released |
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |
Only the latest version on the main branch receives security updates.
- GPG-Signed Commits: All commits must be GPG signed. Pull requests with unsigned commits are automatically closed.
- Static Analysis: Every PR runs
dart analyzewith fatal warnings to catch potential security issues at the code level. - Secret Detection: All PRs and pushes are scanned for accidentally committed secrets, API keys, tokens, and credentials using TruffleHog and custom pattern matching.
- CI/CD Protection: Only maintainers can modify CI/CD workflow files.
Non-maintainer changes to
.github/are blocked.
- Dependency Change Gate: PRs from non-maintainers that modify
pubspec.yamlorpubspec.lockare flagged and require maintainer review before merge. - OpenSSF Scorecards: The project is evaluated weekly against OpenSSF security best practices.
- License Compliance: Dependencies with restrictive licenses (GPL, AGPL, SSPL) are blocked.
- Issue Templates Required: Issues without templates are automatically closed to prevent information leakage through unstructured reports.
- PR Templates Required: PRs without the required template are automatically closed.
- Conventional Commits: PR titles must follow Conventional Commits format for clear change tracking.
- Stale Item Cleanup: Inactive issues and PRs are automatically closed to reduce the attack surface of open, unmaintained changes.
| Label | Meaning |
|---|---|
security |
General security-related issue |
security/dependency-change |
PR modifies dependencies (needs review) |
security/ci-change |
PR modifies CI/CD files (blocked for non-maintainers) |
security/audit |
Scheduled security audit findings |
priority/critical |
Critical issue requiring immediate attention |
We ask that you:
- Allow us reasonable time to fix the issue before public disclosure.
- Do not exploit the vulnerability beyond what is necessary to demonstrate it.
- Do not access, modify, or delete data belonging to other users.
- Act in good faith to avoid disruption to the project and its users.
We will:
- Acknowledge your report promptly.
- Keep you informed about the progress of the fix.
- Credit you in the security advisory (unless you prefer anonymity).
- Not pursue legal action against researchers who follow this policy.
- Maintainer: @omghante
- Security Advisories: GitHub Security