This document explains how DepTracPy security issues are handled by the maintainers.
If you think you have found a security issue in DepTracPy, we ask you not to use the bug tracker and to not publish it publicly. Instead, all security issues must be sent to [email protected].
DepTracPy is an Open-Source project where most of the work is done by volunteers. We appreciate that developers are trying to find security issues in DepTracPy and report them responsibly, but we are currently unable to pay bug bounties.
In case of an incident being reported, we will...
- try to confirm the vulnerability.
- send an acknowledgement to the reporter, if the issue is confirmed
- start working on a patch
- prepare a security advisory to be published with the patch
- send the patch and advisory to the reporter for review
- apply the patch to all supported versions of Deptrac
- release a new version of Deptrac with the applied patch
- publish the advisory