| Version | Supported |
|---|---|
| 0.4.x | Yes |
If you discover a security vulnerability in prview, please report it responsibly. Do not open a public issue.
Report via GitHub Security Advisories. This allows private discussion and coordinated disclosure.
Contact: hello@vetcoders.io
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Impact assessment, if possible
The following are in scope:
- The
prviewbinary and its behavior - Direct dependencies used at runtime
- Generated artifacts (dashboard HTML, report JSON)
The following are out of scope:
- Vulnerabilities in tools prview invokes (cargo, npm, git) -- report those to the respective projects
- Issues that require local code execution privileges beyond what prview already assumes (prview runs with the same permissions as the invoking user)
cargo auditmay currently reportRUSTSEC-2024-0436forpaste 1.0.15.- In
prview-rsthis is a transitive dependency from theloctree -> report-leptos -> leptosstack, not a directly selected crate in this repository. - The advisory is tracked as an informational
unmaintainedwarning, is surfaced in generated review artifacts, and is not treated as a hidden pass condition. - Current 0.2.x policy is to keep this caveat documented and visible while waiting for the upstream dependency chain to move off
paste.
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Fix or mitigation: within 30 days for confirmed vulnerabilities
We follow coordinated disclosure. Once a fix is released, we will:
- Publish a GitHub Security Advisory
- Document the fix in the CHANGELOG
- Credit the reporter (unless anonymity is requested)
This is an open source project and does not offer a bug bounty program.