This project is pre‑release (private package). We fix security issues on the main branch and include them in the next published version. No backports are currently offered.

Please responsibly disclose suspected vulnerabilities privately by emailing: dev404ai@gmail.com.

Include (when possible):

• A concise description of the vulnerability and potential impact
• Steps to reproduce (PoC code, affected endpoints, configuration)
• Any relevant logs, stack traces, or screenshots
• Suggested remediation ideas (if known)

Do not open a public GitHub issue for an undisclosed vulnerability.

1. Acknowledge receipt within 72 hours (often <24h)
2. Triage & reproduce
3. Assess severity (CVSS style qualitative: Low / Medium / High / Critical)
4. Develop & test a fix (and regression tests where feasible)
5. Coordinate release (may batch Low issues; High/Critical prioritized immediately)
6. Public disclosure (CHANGELOG entry + optional security advisory) after fix availability

If we cannot reproduce an issue, we’ll request additional context. If a report is out of scope (see below), we will communicate that decision.

• Code execution, privilege escalation, or authentication bypass
• Sensitive data exposure (including secret leakage in logs)
• SSRF, SQLi, XSS, CSRF, template injection
• Logic flaws leading to cost / data integrity compromise

• Denial of Service via unrealistic resource consumption patterns
• Vulnerabilities requiring physical access or rooted devices
• Missing security headers in local mock / dev tooling
• Older transitive dependency advisories already fixed upstream but not yet released by Backstage (tracked via resolutions)

We support coordinated disclosure. If you plan to publish an advisory, please let us know your intended timeline so we can align fix release & acknowledgement.

If you require encrypted communication, request our temporary PGP key in your initial email; we can provide one for high‑sensitivity reports.

We plan to acknowledge first responsible reporters (opt‑in) once the project is public.

Thank you for helping keep the Costscope ecosystem safe.

The repository is continuously checked by OpenSSF Scorecard. To keep key checks green, ensure the following settings are enabled in GitHub repository settings (Manage access required):

• Main branch protection enabled, with:
  • Require pull request reviews (≥1) before merging
  • Require status checks to pass before merging (CI, typecheck, tests, size-limit, API checks)
  • Include administrators (enforce for admins)
  • Disallow force pushes and branch deletions
• Code reviews are the default path to merge; avoid direct pushes to main.
• Fuzzing: evaluate ClusterFuzzLite or equivalent for critical parsing/validation code.
• Dependencies: keep Dependabot enabled for npm and GitHub Actions updates; triage nightly audit issues.

A lightweight workflow (.github/workflows/branch-protection-check.yml) validates branch protection and surfaces a summary on its runs. It cannot apply settings automatically; use the GitHub UI or API to enable them. Example using GitHub CLI:

gh api \
	-X PUT \
	-H "Accept: application/vnd.github+json" \
	"/repos:<owner>/<repo>/branches/main/protection" \
	-f required_status_checks='{"strict":true,"checks":[]}' \
	-f enforce_admins=true \
	-f required_pull_request_reviews='{"required_approving_review_count":1}' \
	-f restrictions='null'

OpenSSF Best Practices badge: enroll the project at https://www.bestpractices.dev/ and add the badge to README once approved.