Skip to content

Security: gazarrillo/bloc

Security

SECURITY.md

Security Policy

Supported versions

Only the latest main is actively maintained. There are no LTS branches at this stage.

Reporting a vulnerability

Please do not open a public GitHub issue for security reports.

Report privately via one of:

  1. GitHub Security Advisories (preferred) — use the "Report a vulnerability" button on the Security tab of this repo. This creates a private channel between you and the maintainer.
  2. Email — send details to gazarrillo@gmail.com with the subject prefix [bloc-security].

Please include:

  • A description of the issue and its impact
  • Steps to reproduce (or a proof-of-concept)
  • Affected versions / commits if known
  • Whether the issue is already public anywhere

What to expect

  • Acknowledgment within 3 business days.
  • A triage assessment within 7 days.
  • Disclosure timeline negotiated with the reporter once a fix is ready. Default is coordinated disclosure within 90 days.

Scope

In scope:

Out of scope:

  • Vulnerabilities in third-party services (Firebase, Google Auth, Capacitor) — report those upstream.
  • Issues that require physical access to a victim's unlocked device.
  • Self-XSS and social-engineering reports without a technical vector.

Recognition

There is no monetary bounty. Reporters who follow this policy and find a valid issue will be credited in the release notes for the fix, unless they request anonymity.

There aren't any published security advisories