This policy applies to all repositories in the shaharia-lab
organization. It lives in the .github repository so it is inherited by every
repo that does not define its own SECURITY.md.
Please do not open public issues for security vulnerabilities.
Report privately via one of:
- GitHub private vulnerability reporting — on the affected repository, go to the Security tab → Report a vulnerability (preferred; keeps the report attached to the repo).
- Email — hello@shaharialab.com with the
subject prefixed
[SECURITY].
Please include:
- the affected repository and version / commit,
- a description of the issue and its impact,
- reproduction steps or a proof of concept, and
- any suggested remediation, if known.
- Acknowledgement within 5 business days.
- An initial assessment and severity triage shortly after.
- Coordinated disclosure: we will agree a disclosure timeline with you and credit you (if you wish) once a fix is released.
In scope: source code, CI/CD workflows, and infrastructure-as-code in
shaharia-lab repositories. Out of scope: third-party services we depend on
(report those to the respective vendor) and findings that require privileged
access already granted to you.
If you discover a credential (API key, token, private key) committed to any repository, treat it as live: report it privately as above and do not use it. Rotation at the source is our first response; history cleanup is secondary.