We release patches for security vulnerabilities. Here are the versions that are currently being supported with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of our GitHub Action seriously. If you have discovered a security vulnerability in the Auto PR Action, we appreciate your help in disclosing it to us in a responsible manner.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them directly to us by sending an email to [INSERT SECURITY EMAIL]. If possible, encrypt your message with our PGP key (you can find it on our website or public key servers).
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect the project's users, and provides them with a chance to upgrade and/or update in order to protect their applications.
We prefer all communications to be in English.
We follow the principle of Coordinated Vulnerability Disclosure:
- Your report will be acknowledged within 48 hours, and you'll receive a more detailed response to your report within 72 hours indicating the next steps in handling your submission.
- If you have not received a response to your report within 72 hours, please contact us again as we may not have received your initial message.
- We will confirm the problem and determine the affected versions.
- We will work on a fix and release it as soon as possible, depending on complexity.
- We will notify you when the vulnerability has been fixed.
Thank you for helping keep Auto PR Action and our users safe!