| Version | Supported |
|---|---|
| 2.x | β Active support |
| 1.x | |
| < 1.0 | β Not supported |
Please do NOT open a public GitHub Issue for security vulnerabilities.
If you discover a security issue in fancybash, please report it responsibly:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details
Send details to: rihadjahanopu@gmail.com
Subject: [fancybash SECURITY] Brief description
Please provide as much of the following as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact (what an attacker could do)
- Your environment (OS, shell version, fancybash version)
- Suggested fix (optional but appreciated)
| Step | Timeline |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
- Installer scripts (
install.sh,install.zsh,install.ps1) β e.g., unsafe download handling, improper backup logic - config.sh / config.zsh β e.g., functions that execute unsafe input, command injection risks
- Web files (
web/) β e.g., XSS in the static site - GitHub Actions workflows β e.g., supply chain risks, token misuse
- Vulnerabilities in third-party tools that fancybash calls (e.g.,
fzf,curl,git) - Issues that require physical access to the machine
- Social engineering attacks
- Theoretical vulnerabilities without a practical exploit path
fancybash is designed with security in mind:
- Installer never blindly executes β validates the downloaded file is a shell script, not an HTML error page
- Always backs up before modifying
.bashrc/.zshrc - Boundary markers make it easy to audit exactly what was added
- No network calls from within
config.shat shell startup β all aliases are local - No
evalon user-supplied strings in any function set -euo pipefailis used in installer scripts (not config β would break interactive shell)
Security researchers who responsibly disclose valid vulnerabilities will be:
- Credited in the release notes (if they wish)
- Mentioned in the
CHANGELOG.mdunder the fix
Thank you for helping keep fancybash safe! π