| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| < 3.0 | ❌ |
If you discover a security vulnerability in OpenSecKit, please report it responsibly.
- Do NOT open a public issue
- Open a private security advisory on GitHub
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: 90 days
This policy applies to:
- The
oskCLI binary - Prompt templates and security content
- GitHub Actions workflows
- Third-party dependencies (report to upstream)
- Social engineering attacks
- Denial of service attacks
OpenSecKit implements:
- Weekly dependency audits (
cargo-audit,cargo-deny) - SAST scanning (Semgrep)
- Secret detection (Gitleaks)
- Multi-platform testing
We thank security researchers who responsibly disclose vulnerabilities.