Only the latest main is actively maintained. There are no LTS branches at this stage.
Please do not open a public GitHub issue for security reports.
Report privately via one of:
- GitHub Security Advisories (preferred) — use the "Report a vulnerability" button on the Security tab of this repo. This creates a private channel between you and the maintainer.
- Email — send details to gazarrillo@gmail.com with the subject prefix
[bloc-security].
Please include:
- A description of the issue and its impact
- Steps to reproduce (or a proof-of-concept)
- Affected versions / commits if known
- Whether the issue is already public anywhere
- Acknowledgment within 3 business days.
- A triage assessment within 7 days.
- Disclosure timeline negotiated with the reporter once a fix is ready. Default is coordinated disclosure within 90 days.
In scope:
- Application source code in this repository
- Firestore security rules (firestore.rules)
- Cloud Functions (functions/)
Out of scope:
- Vulnerabilities in third-party services (Firebase, Google Auth, Capacitor) — report those upstream.
- Issues that require physical access to a victim's unlocked device.
- Self-XSS and social-engineering reports without a technical vector.
There is no monetary bounty. Reporters who follow this policy and find a valid issue will be credited in the release notes for the fix, unless they request anonymity.