Skip to content

Security: cloudposse-github-actions/.github

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

The Cloud Posse team takes the security of our software seriously. If you believe you have found a security vulnerability in any repository owned by Cloud Posse, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Important

Please report any security vulnerabilities by sending an email to [email protected].

What to Include in Your Report

To help us better understand the nature and scope of the issue, please include as much of the following information as possible in your report:

  • Description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue.
  • Affected versions and configurations.
  • Any possible mitigations or workarounds that you have identified.

What to Expect

Note

Bug Bounties

Cloud Posse does not provide bug bounties for vulnerability disclosures.

As an open-source company, we release our projects for free under a permissive license, encouraging community contributions. We value all contributions equally and therefore don’t compensate specific ones, including those by security researchers. This approach ensures fairness across our open-source community.

After you submit a report, we will endeavor to:

  • Respond to your report within 48 hours to acknowledge receipt.
  • Provide an estimated time frame for addressing the vulnerability.
  • Notify you when the issue is resolved.

Supported Versions

Given the nature of our open-source projects, we generally support only the latest major version of each project. However, critical security patches may be applied to older versions at our discretion.

Our Commitment

We deeply value the contributions and efforts of security researchers and the wider community in improving the security and integrity of our projects.

We are committed to working with the community in a transparent and collaborative manner. We recognize the efforts of those who responsibly disclose vulnerabilities and will ensure they receive acknowledgment for their contributions in our project documentation or other public communications, as appropriate.

Thank you for your support in keeping Cloud Posse and the open source ecosystem secure!

There aren’t any published security advisories