We take security seriously. If you discover a vulnerability, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email us at:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (if applicable)
| Step | Timeline |
|---|---|
| Acknowledgment | Within 48 hours of your report |
| Fix timeline | Communicated within 7 days of acknowledgment |
| Resolution | As quickly as possible, depending on severity |
We will work with you to understand the issue and coordinate disclosure.
Runtime authentication state must never be committed. In particular, any
.veritas-kanban/security.json file may contain password and recovery-key
hashes for an enabled installation. The repository ignores these files and
enforces the rule locally and in CI:
pnpm check:security-artifactsDeleting a sensitive file in a later commit does not remove it from Git history. If authentication material is ever tracked, treat it as exposed:
- Determine whether it belongs to a real installation.
- Rotate or invalidate the affected password, recovery key, sessions, and related credentials before relying on repository cleanup.
- Review reachable history, forks, and clones and make an explicit decision about coordinated history rewriting versus retaining the invalidated blob.
- Record sensitive evidence in a private security advisory, not a public issue, commit message, test fixture, or log.
GitHub secret scanning and push protection should remain enabled for the repository. The tracked-file guard complements those services because generic password and recovery-key hashes may not match provider-specific signatures.
This policy applies to:
- The Veritas Kanban application (all components)
- Direct dependencies used by the application
- The official deployment infrastructure
- Third-party services or applications that integrate with Veritas Kanban
- Vulnerabilities in dependencies that have already been publicly disclosed with upstream fixes available
- Social engineering attacks
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Previous releases |
We value the security research community. With your permission, we will acknowledge your contribution in our release notes when a vulnerability is fixed.
Thank you for helping keep Veritas Kanban and its users safe.