Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use one of the following private channels:
- Preferred: Use GitHub's Private Vulnerability Reporting on this repository (Security → Report a vulnerability).
- Alternative: Email
security@reparilo.shop.
Please include:
- A description of the issue and its impact
- Steps to reproduce (or a proof-of-concept)
- The version / commit SHA you tested against
- Any suggested mitigation, if you have one
Reparilo is solo-maintained. I'll do my best on the following timelines but cannot guarantee them:
| Stage | Target |
|---|---|
| Acknowledgement | within 5 business days |
| Initial assessment | within 10 business days |
| Fix or mitigation plan | depends on severity and complexity |
| Public disclosure | coordinated with reporter, after the fix |
If you don't get an acknowledgement within a week, please send a polite follow-up — your first message may have been missed.
In scope:
- The Reparilo application code in this repository (server, frontend, mobile)
- Authentication, session handling, CSRF, file upload, and authorization flows
- SQL injection, XSS, SSRF, or other injection vulnerabilities in our code
- Insecure defaults in
.env.exampleor the seed script
Out of scope:
- Vulnerabilities in third-party dependencies (please report those upstream; we'll update once a fix is released)
- Issues that require physical access to a self-hosted server
- Social engineering of project maintainers
- Self-hosted instances misconfigured by their operators (e.g., weak admin passwords, exposed databases, missing TLS)
- Best-practice suggestions without a concrete vulnerability
If you make a good-faith effort to follow this policy, I will not pursue or support any legal action against you for security research conducted on this codebase.
Only the latest commit on main receives security updates. There are no LTS branches.